服务帐户没有 Google Cloud Storage 的 storage.objects.get 访问权限 [英] service account does not have storage.objects.get access for Google Cloud Storage

问题描述

我已在 Google Cloud Console 中创建了一个服务帐号，并选择了角色 Storage/Storage Admin(即完全控制 GCS 资源).

I have created a service account in Google Cloud Console and selected role Storage / Storage Admin (i.e. full control of GCS resources).

gcloud projects get-iam-policy my_project 似乎表明该角色实际上已被选中:

gcloud projects get-iam-policy my_project seems to indicate that the role was actually selected:

- members:
  - serviceAccount:my_sa@my_project.iam.gserviceaccount.com
  role: roles/storage.admin
- members:
  - serviceAccount:my_sa@my_project.iam.gserviceaccount.com
  role: roles/storage.objectAdmin
- members:
  - serviceAccount:my_sa@my_project.iam.gserviceaccount.com
  role: roles/storage.objectCreator

并且documentation 明确指出角色roles/storage.admin 包含权限 storage.objects.*(以及 storage.buckets.*).

And documentation clearly indicates that role roles/storage.admin comprises permissions storage.objects.* (as well as storage.buckets.*).

但是当我尝试将该服务帐户与适用于 Python 的 Google Cloud Storage 客户端库结合使用时，我收到以下错误消息:

But when I try using that service account in conjunction with the Google Cloud Storage Client Library for Python, I receive this error message:

my_sa@my_project.iam.gserviceaccount.com 没有storage.objects.get 访问 my_project/my_bucket.

my_sa@my_project.iam.gserviceaccount.com does not have storage.objects.get access to my_project/my_bucket.

那么为什么所选角色在这种情况下是不够的?

So why would the selected role not be sufficient in this context?

推荐答案

问题显然是服务帐户与太多角色相关联，这可能是之前尝试配置的结果.

The problem was apparently that the service account was associated with too many roles, perhaps as a results of previous configuration attempts.

这些步骤解决了问题:

• 删除了 IAM & 下违规服务帐户(成员)my_sa 的所有(三个)角色管理员/IAM
• 删除了 IAM & 下的 my_sa管理员/服务帐号
• 重新创建my_sa(再次使用角色Storage/Storage Admin)

• removed all (three) roles for the offending service account (member) my_sa under IAM & Admin / IAM
• deleted my_sa under IAM & Admin / Service accounts
• recreated my_sa (again with role Storage / Storage Admin)

效果是这样的:

• my_sa 在 IAM & 下显示一个角色 (Storage Admin)管理员/IAM
• my_sa 显示为 Storage/Browser/my_bucket/Edit bucket permissions<下的成员/code>

• my_sa shows up with one role (Storage Admin) under IAM & Admin / IAM
• my_sa shows up as member under Storage / Browser / my_bucket / Edit bucket permissions

这篇关于服务帐户没有 Google Cloud Storage 的 storage.objects.get 访问权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！