服务帐户需要什么作用域/角色才能提交容器构建器作业? [英] What scopes / roles are required for a service account to be able to submit container builder jobs?

问题描述

创建新的服务帐户以处理Container Builder作业时，尽管服务帐户具有 Cloud Container Builder ， Logs Viewer 和私人日志查看器:

When creating a new service account to handle Container Builder jobs, the jobs fail with the following error despite the service account having Cloud Container Builder , Logs Viewer and Private Logs viewer:

ERROR: (gcloud.container.builds.submit) HTTPError 403:
<?xml version='1.0' encoding='UTF-8'?>
<Error>
  <Code>AccessDenied</Code>
  <Message>Access denied.</Message>
  <Details>v2-container-builder@redacted.iam.gserviceaccount.com does not have storage.objects.get access to object redacted.cloudbuild-logs.googleusercontent.com/log-20117c17-f2b4-4159-9883-104ddd7bb232.txt.
  </Details>
</Error>

我了解错误指向云存储上文件的 storage.objects.get 权限，但这不是我们可以设置 acl 的存储桶吗?

I understand the error points to storage.objects.get permissions over a file on cloud storage, but this is not a bucket we can set acl for is it ?

推荐答案

以下是

GCS权限早于IAM，因此工作方式略有不同.至查看日志，相关服务帐户必须是查看者"该项目除具有构建器编辑器"角色外.

GCS permissions predate IAM and thus work a little differently. To view the logs, the Service Account in question needs to be a Viewer on the project in addition to have the Builder Editor role.

这篇关于服务帐户需要什么作用域/角色才能提交容器构建器作业?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！