GCP 部署管理器:403 没有 storage.buckets.get 访问权限
GCP Deployment Manager: 403 does not have storage.buckets.get access
我正在尝试使用部署管理器创建存储桶,但是当我想要创建部署时,出现以下错误:
ERROR: (gcloud.deployment-manager.deployments.create) Error in Operation [operation-1525606425901-56b87ed1537c9-70ca4aca-72406eee]: errors:
- code: RESOURCE_ERROR
location: /deployments/posts/resources/posts
message: '{"ResourceType":"storage.v1.bucket","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"errors":[{"domain":"global","message":"myprojectid@cloudservices.gserviceaccount.com
does not have storage.buckets.get access to posts.","reason":"forbidden"}],"message":"myprojectid@cloudservices.gserviceaccount.com
does not have storage.buckets.get access to posts.","statusMessage":"Forbidden","requestPath":"https://www.googleapis.com/storage/v1/b/posts","httpMethod":"GET","suggestion":"Consider
granting permissions to myprojectid@cloudservices.gserviceaccount.com"}}'
如果我理解正确,部署管理器使用服务帐户(如消息中所述)实际创建我的所有资源。我检查了 IAM 并确保服务角色 (myprojectid@cloudservices.gserviceaccount.com) 确实具有 "Editor" 的访问权限,甚至添加了 "Storage Admin"(包括 storage.buckets.get)以确保安全。但是,我仍然收到相同的错误消息。
我是否将权限分配给了错误的 IAM 用户/我做错了什么?
使用的命令:
gcloud deployment-manager deployments create posts --config posts.yml
我的部署模板:
bucket.jinja
resources:
- name: {{ properties['name'] }}
type: storage.v1.bucket
properties:
name: {{ properties['name'] }}
location: europe-west1
lifecycle:
rule:
- action:
type: Delete
condition:
age: 30
isLive: true
labels:
datatype: {{ properties['datatype'] }}
storageClass: REGIONAL
posts.yml
imports:
- path: bucket.jinja
resources:
- name: posts
type: bucket.jinja
properties:
name: posts
datatype: posts
我成功测试了您的代码,我认为问题在于您试图 create/update 属于不同项目的不同用户拥有的存储桶,而您的服务帐户对其没有权力。
因此,请尝试重新部署更改可能是唯一的名称,如果这能解决问题,请告诉我。在某些情况下这可能是个问题,因为要么您选择的名称很长,要么已经承担了风险。
注意您必须更改存储桶的名称,因为它必须是所有用户的 unique across all the project。
这似乎是一个过分的要求,但它使创建静态网站或引用标准文件成为可能 URL:
https://storage.googleapis.com/nomebucket/folder/nomefile
根据跟踪错误,我认为这就是问题所在,您正在尝试创建一个不存在且不属于您的存储桶。
注意如果您从服务帐户中删除权限,您不会收到消息告诉您服务帐户不对桶有任何影响:
xxx@cloudservices.gserviceaccount.com does not have storage.buckets.get access to posts.
而是一条消息,指出服务帐户对项目没有权力:
Service account xxx@cloudservices.gserviceaccount.com is not authorized
to take actions for project xxx. Please add xxx@cloudservices.gserviceaccount.com
as an editor under project xxx using Google Developers Console
请注意,如果您尝试创建一个您已经拥有的存储桶,则没有问题。
$ gcloud deployment-manager deployments create posts22 --config posts.yml
The fingerprint of the deployment is xxx==
Waiting for create [operation-xxx-xxx-xxx-xxx]...done.
Create operation operation-xxx-xxx-xxx-xxx completed successfully.
NAME TYPE STATE ERRORS INTENT
nomebuckettest4536 storage.v1.bucket COMPLETED []
我正在尝试使用部署管理器创建存储桶,但是当我想要创建部署时,出现以下错误:
ERROR: (gcloud.deployment-manager.deployments.create) Error in Operation [operation-1525606425901-56b87ed1537c9-70ca4aca-72406eee]: errors:
- code: RESOURCE_ERROR
location: /deployments/posts/resources/posts
message: '{"ResourceType":"storage.v1.bucket","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"errors":[{"domain":"global","message":"myprojectid@cloudservices.gserviceaccount.com
does not have storage.buckets.get access to posts.","reason":"forbidden"}],"message":"myprojectid@cloudservices.gserviceaccount.com
does not have storage.buckets.get access to posts.","statusMessage":"Forbidden","requestPath":"https://www.googleapis.com/storage/v1/b/posts","httpMethod":"GET","suggestion":"Consider
granting permissions to myprojectid@cloudservices.gserviceaccount.com"}}'
如果我理解正确,部署管理器使用服务帐户(如消息中所述)实际创建我的所有资源。我检查了 IAM 并确保服务角色 (myprojectid@cloudservices.gserviceaccount.com) 确实具有 "Editor" 的访问权限,甚至添加了 "Storage Admin"(包括 storage.buckets.get)以确保安全。但是,我仍然收到相同的错误消息。
我是否将权限分配给了错误的 IAM 用户/我做错了什么?
使用的命令:
gcloud deployment-manager deployments create posts --config posts.yml
我的部署模板:
bucket.jinja
resources:
- name: {{ properties['name'] }}
type: storage.v1.bucket
properties:
name: {{ properties['name'] }}
location: europe-west1
lifecycle:
rule:
- action:
type: Delete
condition:
age: 30
isLive: true
labels:
datatype: {{ properties['datatype'] }}
storageClass: REGIONAL
posts.yml
imports:
- path: bucket.jinja
resources:
- name: posts
type: bucket.jinja
properties:
name: posts
datatype: posts
我成功测试了您的代码,我认为问题在于您试图 create/update 属于不同项目的不同用户拥有的存储桶,而您的服务帐户对其没有权力。
因此,请尝试重新部署更改可能是唯一的名称,如果这能解决问题,请告诉我。在某些情况下这可能是个问题,因为要么您选择的名称很长,要么已经承担了风险。
注意您必须更改存储桶的名称,因为它必须是所有用户的 unique across all the project。
这似乎是一个过分的要求,但它使创建静态网站或引用标准文件成为可能 URL:
https://storage.googleapis.com/nomebucket/folder/nomefile
根据跟踪错误,我认为这就是问题所在,您正在尝试创建一个不存在且不属于您的存储桶。
注意如果您从服务帐户中删除权限,您不会收到消息告诉您服务帐户不对桶有任何影响:
xxx@cloudservices.gserviceaccount.com does not have storage.buckets.get access to posts.
而是一条消息,指出服务帐户对项目没有权力:
Service account xxx@cloudservices.gserviceaccount.com is not authorized
to take actions for project xxx. Please add xxx@cloudservices.gserviceaccount.com
as an editor under project xxx using Google Developers Console
请注意,如果您尝试创建一个您已经拥有的存储桶,则没有问题。
$ gcloud deployment-manager deployments create posts22 --config posts.yml
The fingerprint of the deployment is xxx==
Waiting for create [operation-xxx-xxx-xxx-xxx]...done.
Create operation operation-xxx-xxx-xxx-xxx completed successfully.
NAME TYPE STATE ERRORS INTENT
nomebuckettest4536 storage.v1.bucket COMPLETED []