Error : ERROR: (gcloud.logging.sinks.create) User [nataraj@somedomaindonamehere] does not have permission to access organization
Error : ERROR: (gcloud.logging.sinks.create) User [nataraj@somedomaindonamehere] does not have permission to access organization
我正在尝试创建一个接收器来监控组织中所有项目的 VPC_FLOW 日志,但我的权限被拒绝了,还有其他人有类似的问题吗?。错误很明显,它被拒绝了,但我需要什么权限才能创建它?
环境:我正在用某人登录@domainname.com(gsuite 用户)
来自命令行:
gcloud beta logging sinks create somesinknamehere --include-children --log-filter='resource.type="gce_subnetwork"' storage.googleapis.com/somebuckethere --organization=organizations/0000000000
错误:错误:(gcloud.logging.sinks.create)用户 [nataraj@somedomaindonamehere] 没有访问组织 [0000000000] 的权限(或者它可能不存在):调用者没有权限。
API
Request
POST https://logging.googleapis.com/v2/organizations/00000000000/sinks?key={YOUR_API_KEY}
{
"destination": "storage.googleapis.com/somebucket",
"filter": "resource.type=\"gce_subnetwork",
"name": "somenamehere",
"includeChildren": true
}
Response
403
- Show headers -
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
我试过测试版 API 下面是响应
Request
POST https://logging.googleapis.com/v2beta1/organizations/0000000000/sinks?key={YOUR_API_KEY}
{
“destination”: “storage.googleapis.com/somebucketnamehere”,
“filter”: “resource.type=\“gce_subnetwork”,
“name”: “somesinknamehere”,
“includeChildren”: true
}
回应
404
Show headers -
<title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style>
404. That’s an error.
在此服务器上找不到请求的 URL /v2beta1/organizations/0000000000/sinks?key=somekeynamehjere&alt=json。这就是我们所知道的。
根据此 document、
澄清@Nataraj 评论作为答案
you must have the Logs Configuration Writer IAM role for the parent to
create the sink.
因此,给出
1) Organization Administrator, 2) Billing Administrator and 3)
Logging Admin roles
但是,此类权限对于每个父级(组织)来说可能更细化,access control guide should help. On another note, it is a best practice to grant roles and configure ownership/access to service accounts 而不是用户。
我正在尝试创建一个接收器来监控组织中所有项目的 VPC_FLOW 日志,但我的权限被拒绝了,还有其他人有类似的问题吗?。错误很明显,它被拒绝了,但我需要什么权限才能创建它?
环境:我正在用某人登录@domainname.com(gsuite 用户)
来自命令行:
gcloud beta logging sinks create somesinknamehere --include-children --log-filter='resource.type="gce_subnetwork"' storage.googleapis.com/somebuckethere --organization=organizations/0000000000
错误:错误:(gcloud.logging.sinks.create)用户 [nataraj@somedomaindonamehere] 没有访问组织 [0000000000] 的权限(或者它可能不存在):调用者没有权限。
API
Request
POST https://logging.googleapis.com/v2/organizations/00000000000/sinks?key={YOUR_API_KEY}
{
"destination": "storage.googleapis.com/somebucket",
"filter": "resource.type=\"gce_subnetwork",
"name": "somenamehere",
"includeChildren": true
}
Response
403
- Show headers -
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
我试过测试版 API 下面是响应
Request
POST https://logging.googleapis.com/v2beta1/organizations/0000000000/sinks?key={YOUR_API_KEY}
{
“destination”: “storage.googleapis.com/somebucketnamehere”,
“filter”: “resource.type=\“gce_subnetwork”,
“name”: “somesinknamehere”,
“includeChildren”: true
}
回应
404
Show headers -
<title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style>
404. That’s an error.
在此服务器上找不到请求的 URL /v2beta1/organizations/0000000000/sinks?key=somekeynamehjere&alt=json。这就是我们所知道的。
根据此 document、
澄清@Nataraj 评论作为答案you must have the Logs Configuration Writer IAM role for the parent to create the sink.
因此,给出
1) Organization Administrator, 2) Billing Administrator and 3) Logging Admin roles
但是,此类权限对于每个父级(组织)来说可能更细化,access control guide should help. On another note, it is a best practice to grant roles and configure ownership/access to service accounts 而不是用户。