Google Cloud Resource Manager API-向用户授予所有者角色 [英] Google Cloud Resource Manager API - grant owner role to a user
问题描述
我在 Google Cloud Resource Manager API 中使用了服务帐户授权Google Apps脚本.在该程序中,我有兴趣更新开发者控制台项目的角色.
I am using Google Cloud Resource Manager API with Service Account authorization in Google Apps Script. In the program I am interested in updating the roles of a Developer Console Project.
具体来说,我正在尝试将开发者控制台项目的所有者更改为编辑者,并将另一个用户更改为所有者.我相信就HTTP请求有效负载而言,它看起来像:
Specifically, I am trying to change Developer Console project's owner to editor and another user as owner. This, I believe in terms of HTTP Request payload would look like:
// before (taken from response of getIamPolicy REST call)
{
"bindings": [{
"role": "roles/owner",
"members": ["user:abc@my-google-domain.com"]
}],
"version": "0",
"etag": "acbqwcada="
}
// after (modified policy) used in setIamPolicy REST call
{
"bindings": [{
"role": "roles/owner",
"members": ["user:def@my-google-domain.com"]
},
{
"role": "roles/editor",
"members": ["user:abc@my-google-domain.com"]
}],
"version": "0",
"etag": "acbqwcada="
}
我观察到的几件事:
-
将当前的所有者(用户电子邮件)更改为编辑者并添加新所有者(用户电子邮件)时,API调用将返回
SOLO_MUST_INVITE_OWNERS错误.在这里,我将服务帐户模拟为具有所有必要的域范围访问权限的项目的初始所有者.
When changing current owner (user email) to editor and adding new owner (user email) the API call is returning
SOLO_MUST_INVITE_OWNERSerror. Here, I am impersonating service account as initial owner of project with all necessary domain wide access
但是,当我在Google API资源管理器中使用相同的有效负载进行相同的调用时,它的运行正常!
However, when I do the same call in Google API explorer with same payload, its working fine!
Google云和身份管理文档似乎令人困惑.它说在某一点"Cloud Resource Manager IAM methods only support granting the owner role to user and serviceAccount"上,而在另一点"A user cannot be granted owner access using setIamPolicy(). The user must be granted the owner role using the Cloud Platform Console and he must explicitly accept the invitation."上-我想知道设置setIamPolicy()之外的策略还有其他方法吗?
Google Cloud and Identity Management documentation seems confusing. It says in one point "Cloud Resource Manager IAM methods only support granting the owner role to user and serviceAccount" while in another point "A user cannot be granted owner access using setIamPolicy(). The user must be granted the owner role using the Cloud Platform Console and he must explicitly accept the invitation." -- I am wondering is there any other way to set policies other than setIamPolicy()?
推荐答案
Cloud Resource Manager API不支持通过setIamPolicy,
The Cloud Resource Manager API does not support adding an owner via setIamPolicy, see the documentation on setIamPolicy:
要添加为所有者,必须通过Cloud Platform邀请用户 控制台,并且必须接受邀请.
To be added as an owner, a user must be invited via Cloud Platform console and must accept the invitation.
邀请def@my-google-domain.com并接受它们之后(它们将在Cloud Platform控制台中显示为项目的所有者,并显示为getIamPolicy返回的owner绑定的成员)您可以进行setIamPolicy调用,将abc@my-google-domain.com设置为editor.
After you've invited def@my-google-domain.com and they've accepted (they'll appear as an owner of the project in the Cloud Platform console, and also as a member of the owner binding returned by getIamPolicy) you can make the setIamPolicy call to make abc@my-google-domain.com an editor.
这篇关于Google Cloud Resource Manager API-向用户授予所有者角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
