服务帐户没有 Google Cloud Storage 的 storage.objects.get 访问权限 [英] service account does not have storage.objects.get access for Google Cloud Storage
问题描述
我已在 Google Cloud Console 中创建了一个服务帐号,并选择了角色 Storage
/Storage Admin
(即完全控制 GCS 资源).
I have created a service account in Google Cloud Console and selected role Storage
/ Storage Admin
(i.e. full control of GCS resources).
gcloud projects get-iam-policy my_project
似乎表明该角色实际上已被选中:
gcloud projects get-iam-policy my_project
seems to indicate that the role was actually selected:
- members:
- serviceAccount:my_sa@my_project.iam.gserviceaccount.com
role: roles/storage.admin
- members:
- serviceAccount:my_sa@my_project.iam.gserviceaccount.com
role: roles/storage.objectAdmin
- members:
- serviceAccount:my_sa@my_project.iam.gserviceaccount.com
role: roles/storage.objectCreator
并且documentation 明确指出角色roles/storage.admin
包含权限 storage.objects.*
(以及 storage.buckets.*
).
And documentation clearly indicates that role roles/storage.admin
comprises permissions storage.objects.*
(as well as storage.buckets.*
).
但是当我尝试将该服务帐户与适用于 Python 的 Google Cloud Storage 客户端库结合使用时,我收到以下错误消息:
But when I try using that service account in conjunction with the Google Cloud Storage Client Library for Python, I receive this error message:
my_sa@my_project.iam.gserviceaccount.com 没有storage.objects.get 访问 my_project/my_bucket.
my_sa@my_project.iam.gserviceaccount.com does not have storage.objects.get access to my_project/my_bucket.
那么为什么所选角色在这种情况下是不够的?
So why would the selected role not be sufficient in this context?
推荐答案
问题显然是服务帐户与太多角色相关联,这可能是之前尝试配置的结果.
The problem was apparently that the service account was associated with too many roles, perhaps as a results of previous configuration attempts.
这些步骤解决了问题:
- 删除了
IAM & 下违规服务帐户(成员)
/my_sa
的所有(三个)角色管理员IAM
- 删除了
IAM & 下的
/my_sa
管理员服务帐号
- 重新创建
my_sa
(再次使用角色Storage
/Storage Admin
)
- removed all (three) roles for the offending service account (member)
my_sa
underIAM & Admin
/IAM
- deleted
my_sa
underIAM & Admin
/Service accounts
- recreated
my_sa
(again with roleStorage
/Storage Admin
)
效果是这样的:
my_sa
在IAM & 下显示一个角色 (
/Storage Admin
)管理员IAM
my_sa
显示为Storage
/Browser
/my_bucket
/Edit bucket permissions<下的成员/code>
my_sa
shows up with one role (Storage Admin
) underIAM & Admin
/IAM
my_sa
shows up as member underStorage
/Browser
/my_bucket
/Edit bucket permissions
这篇关于服务帐户没有 Google Cloud Storage 的 storage.objects.get 访问权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!