无法通过API为服务帐户创建cloudsql角色 [英] Can't create cloudsql role for Service Account via api
问题描述
我一直试图使用api在GCP中创建服务帐户.
I have been trying to use the api to create service accounts in GCP.
要创建服务帐户,我发送以下发帖请求:
To create a service account I send the following post request:
base_url = f"https://iam.googleapis.com/v1/projects/{project}/serviceAccounts"
auth = f"?access_token={access_token}"
data = {"accountId": name}
# Create a service Account
r = requests.post(base_url + auth, json=data)
这将返回200并创建一个服务帐户:
this returns a 200 and creates a service account:
然后,这是我用来创建特定角色的代码:
Then, this is the code that I use to create the specific roles:
sa = f"{name}@dotmudus-service.iam.gserviceaccount.com"
sa_url = base_url + f'/{sa}:setIamPolicy' + auth
data = {"policy":
{"bindings": [
{
"role": roles,
"members":
[
f"serviceAccount:{sa}"
]
}
]}
}
如果将角色设置为roles/viewer,roles/editor或roles/owner之一,则此方法有效.
但是,如果我要使用,特别是roles/cloudsql.viewer api告诉我不支持此选项.
If roles is set to one of roles/viewer, roles/editor or roles/owner this approach does work.
However, if I want to use, specifically roles/cloudsql.viewer The api tells me that this option is not supported.
这里是角色. https://cloud.google.com/iam/docs/understanding-roles
我不想授予该服务帐户对我的项目的全部查看者权限,这与最小特权原则背道而驰.
I don't want to give this service account full viewer rights to my project, it's against the principle of least privilege.
如何从api设置特定角色?
这是使用资源管理器api的响应:以roles/cloudsql.admin作为角色
here is the response using the resource manager api: with roles/cloudsql.admin as the role
POST https://cloudresourcemanager.googleapis.com/v1/projects/{project}:setIamPolicy?key={YOUR_API_KEY}
{
"policy": {
"bindings": [
{
"members": [
"serviceAccount:sa@{project}.iam.gserviceaccount.com"
],
"role": "roles/cloudsql.viewer"
}
]
}
}
{
"error": {
"code": 400,
"message": "Request contains an invalid argument.",
"status": "INVALID_ARGUMENT",
"details": [
{
"@type": "type.googleapis.com/google.cloudresourcemanager.projects.v1beta1.ProjectIamPolicyError",
"type": "SOLO_REQUIRE_TOS_ACCEPTOR",
"role": "roles/owner"
}
]
}
}
推荐答案
使用提供的代码,您似乎正在追加到第一个base_url,后者不是修改项目角色的正确上下文.
With the code provided it appears that you are appending to the first base_url which is not the correct context to modify project roles.
这将尝试将附加路径放置到:https://iam.googleapis.com/v1/projects/{project}/serviceAccount
This will try to place the appended path to: https://iam.googleapis.com/v1/projects/{project}/serviceAccount
添加角色的POST路径必须为:https://cloudresourcemanager.googleapis.com/v1/projects/{project]:setIamPolicy
The POST path for adding roles needs to be: https://cloudresourcemanager.googleapis.com/v1/projects/{project]:setIamPolicy
如果从base_url中删除/serviceAccounts,它应该可以工作.
If you remove /serviceAccounts from the base_url and it should work.
已编辑回复,以根据您的编辑添加更多信息
好的,很抱歉,我在这里看到了这个问题,但是我不得不建立一个新项目来对此进行测试.
OK, I see the issue here, sorry but I had to set up a new project to test this.
cloudresourcemanager.projects.setIamPolicy需要替换整个策略.看来您可以向更改内容添加约束,但是您必须在json中为该项目提交完整的政策.
cloudresourcemanager.projects.setIamPolicy needs to replace the entire policy. It appears that you can add constraints to what you change but that you have to submit a complete policy in json for the project.
请注意,gcloud具有一个--log-http选项,它将帮助您深入研究其中的一些问题.如果您运行
Note that gcloud has a --log-http option that will help you dig through some of these issues. If you run
gcloud projects add-iam-policy-binding $PROJECT --member serviceAccount:$NAME --role roles/cloudsql.viewer --log-http
它将向您展示如何提取现有的现有策略,附加新角色并添加新角色.
It will show you how it pulls the existing existing policy, appends the new role and adds it.
我建议使用此处提供的示例代码如果您不想使用gcloud或控制台向用户添加角色,请进行这些更改,因为这可能会影响整个项目.
I would recommend using the example code provided here to make these changes if you don't want to use gcloud or the console to add the role to the user as this could impact the entire project.
希望他们能够为此改进API.
Hopefully they improve the API for this need.
这篇关于无法通过API为服务帐户创建cloudsql角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
