通过Gitlab CI将图像推送到GCR时,服务帐户没有storage.buckets.lists访问项目 [英] Service account does not have storage.buckets.lists access to project while pushing images to GCR via Gitlab CI
问题描述
我正在使用Gitlab CI构建docker映像并将其推送到GCR.我的脚本是这样的-
I am using Gitlab CI to build docker images and to push them to GCR. My Script goes like this -
build:
image: google/cloud-sdk
services:
- docker:dind
stage: build
cache:
script:
- echo "$GCP_SERVICE_KEY" > gcloud-service-key.json # Google Cloud service accounts
- gcloud auth activate-service-account --key-file gcloud-service-key.json
- gcloud auth configure-docker --quiet
- gcloud config set project $GCP_PROJECT_ID
- echo ${IMAGE_NAME}:${IMAGE_TAG}
- PYTHONUNBUFFERED=1 gcloud builds submit -t ${IMAGE_NAME}:${IMAGE_TAG} .
only:
- master
我收到此错误-
ERROR: (gcloud.builds.submit) HTTPError 403: <service account name>@<projectname>.iam.gserviceaccount.com does not have storage.buckets.list access to project <projectid>.
授予服务帐户Cloud Editor权限后,出现错误-
After giving service account Cloud Editor permissions, I am getting the error -
ERROR: (gcloud.builds.submit) User [<service account name>@<projectname>.iam.gserviceaccount.com] does not have permission to access b [<bucker_name>] (or it may not exist): <service account name>@<projectname>.iam.gserviceaccount.com does not have storage.buckets.get access to <bucket_name>
要达到此目的,我必须授予服务帐户所有什么权限?
What all permissions do I have to give to service account to achieve so?
推荐答案
出现错误:
<service account name>@<projectname>.iam.gserviceaccount.com
does not have storage.buckets.list access to project <projectid>
我怀疑<projectname>和<projectid>指的是两个不同的项目.
I suspect that <projectname> and <projectid> refer to 2 different projects.
拥有服务帐户(<projectname>)的项目很可能具有storage.[buckets|objects].*权限,但是这些权限将应用于<projectname>控制的GCS资源,而不是应用于
The project that owns the service account (<projectname>) may well have storage.[buckets|objects].* permissions but these will apply to the GCS resources controlled by <projectname> and not to those controlled by <projectid>.
NB 是的,看到由不同类型的键引用的项目会令人困惑,但是要确认将<projectname>的ProjectID与<projectid>进行比较.将<projectname>替换为其下面的值以获取ProjectID:
NB Yes, it's confusing to see projects referenced by different types of keys but, to confirm, compare the ProjectID of <projectname> with <projectid>. Replace <projectname> with its value in the below to retrieve the ProjectID:
gcloud projects list --filter="name=<projectname> --format="value(projectId)"
有两种方法允许身份访问GCS资源.首先是(如上所述)在项目级别创建它们.第二种是将它们应用于特定的存储桶.
There are 2 approaches to permitting identities to access GCS resources. The first is (as above) to create these at the project level. The second is to apply these to specific buckets.
请参阅下面的链接以获取指导.这是针对Cloud Build的服务帐户的,但原理是相同的.服务帐户(在项目<projectname>中)需要有权访问<projectid>中的GCS资源:
See the link below for guidance. It's for Cloud Build's service account but the principle is the same. The service account (in project <projectname>) needs to have access to the GCS resources in <projectid>:
这篇关于通过Gitlab CI将图像推送到GCR时,服务帐户没有storage.buckets.lists访问项目的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
