使用云存储时,对Cloud KMS密钥的权限被拒绝 [英] Permission denied on Cloud KMS key when using cloud storage
问题描述
我正在使用cloud storage
用kms密钥上传文件.这是我的代码:
I am using cloud storage
upload a file with kms key. Here is my code:
await storage.bucket(config.bucket).upload(file, {
kmsKeyName: `projects/${process.env.PROJECT_ID}/locations/global/keyRings/test/cryptoKeys/nodejs-gcp`,
destination: 'mmczblsq.kms.encrypted.doc'
});
我有一个具有cloud storage admin
权限的cloud-storage-admin.json
服务帐户.使用该服务帐户初始化storage
.
I have a cloud-storage-admin.json
service account with cloud storage admin
permission. Initialize the storage
with this service account.
const storage: Storage = new Storage({
projectId: process.env.PROJECT_ID,
keyFilename: path.resolve(__dirname, '../.gcp/cloud-storage-admin.json')
});
而且,我使用gcloud kms keys add-iam-policy-binding
将roles/cloudkms.cryptoKeyEncrypterDecrypter
添加到cloud-storage-admin.json
服务帐户.
And, I use gcloud kms keys add-iam-policy-binding
add roles/cloudkms.cryptoKeyEncrypterDecrypter
to cloud-storage-admin.json
service account.
当我尝试使用kms密钥上传文件时,仍然出现此权限错误:
When I try to upload a file with kms key, still got this permission error:
对Cloud KMS密钥的权限被拒绝.请确保您的Cloud Storage服务帐户已被授权使用此密钥.
Permission denied on Cloud KMS key. Please ensure that your Cloud Storage service account has been authorized to use this key.
更新
☁ nodejs-gcp [master] ⚡ gcloud kms keys get-iam-policy nodejs-gcp --keyring=test --location=global
bindings:
- members:
- serviceAccount:cloud-storage-admin@<PROJECT_ID>.iam.gserviceaccount.com
- serviceAccount:service-16536262744@gs-project-accounts.iam.gserviceaccount.com
role: roles/cloudkms.cryptoKeyEncrypterDecrypter
etag: BwWJ2Pdc5YM=
version: 1
推荐答案
使用kmsKeyName
时,Google Cloud Storage是调用KMS的实体,而不是您的服务帐户.这有点令人困惑:
When you use kmsKeyName
, Google Cloud Storage is the entity calling KMS, not your service account. It's a bit confusing:
- 您的服务帐户有权调用Cloud Storage API
- 然后,Cloud Storage Service帐户在传输过程中调用KMS API
您将需要获取Cloud Storage服务帐户并授予该服务帐户可以调用Cloud KMS:
You will need to get the Cloud Storage service account and grant that service account the ability to invoke Cloud KMS:
- 选项1:打开API资源管理器,授权并执行
-
选项2:安装 gcloud ,对gcloud进行身份验证,安装 oauth2l ,然后运行此
curl
命令,将[PROJECT_ID]
替换为您的项目ID:
- Option 1: Open the API explorer, authorize, and execute
Option 2: Install gcloud, authenticate to gcloud, install oauth2l, and run this
curl
command replacing[PROJECT_ID]
with your project ID:
curl -X GET -H "$(oauth2l header cloud-platform)" \
"https://www.googleapis.com/storage/v1/projects/[PROJECT_ID]/serviceAccount"
service-[PROJECT_NUMBER]@gs-project-accounts.iam.gserviceaccount.com
,并从 gcloud projects list
或网络界面.
service-[PROJECT_NUMBER]@gs-project-accounts.iam.gserviceaccount.com
and get your [PROJECT_NUMBER]
from gcloud projects list
or the web interface.这篇关于使用云存储时,对Cloud KMS密钥的权限被拒绝的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!