尝试在 Cloud Run 中使用 Google Cloud Storage 时调用者没有权限 [英] The caller does not have permission when attempting to use Google Cloud Storage within Cloud Run
问题描述
I'm attempting to get a Node project setup on Google Cloud Run with Cloud Storage. I am running into an authentication issue when using a created Service Account.
When creating the service account I did successfully download the JSON token and got everything running correctly in my local development environment.
The issue is when I have the application deployed successfully to Cloud Run I get the following error:
Error: The caller does not have permission
This occurs when I am attempting to get a signed URL for uploading files to a Storage Bucket.
I create the Storage client like this:
const { Storage } = require("@google-cloud/storage");
const storage = new Storage();
...and further down in my script the call is like this:
const [url] = await storage
.bucket(bucketName)
.file(filename)
.getSignedUrl(options);
I have setup the the following permissions for the IAM Service Account:
- Cloud SQL Client - Maybe relevant? I have Cloud SQL successfully working on deployed environment.
- Service Account User - Needed to be used as a Service Account?
- Storage Object Creator - I only need the ability to create signed upload urls from this project.
I have also assigned the mentioned service account to the Cloud Run instance via the console.
Just to confirm, the application runs 100% correctly locally using the Service Account JSON Key, it's just not working when running in the Google Cloud.
I managed to resolve the issue. It looks like when deployed into Cloud Run it also requires the extra permission "Service Account Token Creator" to run getSignedUrl. Locally for some reason this role is not required.
这篇关于尝试在 Cloud Run 中使用 Google Cloud Storage 时调用者没有权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
