无法获取 Google Cloud Storage 存储桶的位置
Failed to obtain the location of the Google Cloud Storage bucket
我正在尝试使用 Java 客户端将数据从 S3 传输到 GCS,但出现此错误。
Failed to obtain the location of the Google Cloud Storage (GCS) bucket
___ due to insufficient permissions. Please verify that the necessary permissions have been granted.
我正在使用具有项目所有者角色的服务帐户,该角色应该授予对所有项目资源的无限制访问权限。
Google 传输服务正在使用内部服务帐户来回移动数据。此帐户是自动创建的,不应与您自己创建的服务帐户混淆。
您需要授予此用户一个名为 "Legacy bucket writer" 的权限。
这在文档中有写,但很容易错过:
https://cloud.google.com/storage-transfer/docs/configure-access
感谢@thnee 的评论,我能够拼凑出一个 terraform 脚本,将权限添加到隐藏的存储传输服务帐户:
data "google_project" "project" {}
locals {
// the project number is also available from the Project Info section on the Dashboard
transfer_service_id = "project-${data.google_project.project.number}@storage-transfer-service.iam.gserviceaccount.com"
}
resource "google_storage_bucket" "backups" {
location = "us-west1"
name = "backups"
storage_class = "REGIONAL"
}
data "google_iam_policy" "transfer_job" {
binding {
role = "roles/storage.legacyBucketReader"
members = [
"serviceAccount:${local.transfer_service_id}",
]
}
binding {
role = "roles/storage.objectAdmin"
members = [
"serviceAccount:${local.transfer_service_id}",
]
}
binding {
role = "roles/storage.admin"
members = [
"user:<GCP console user>",
"serviceAccount:<terraform user doing updates>",
]
}
}
resource "google_storage_bucket_iam_policy" "policy" {
bucket = "${google_storage_bucket.backups.name}"
policy_data = "${data.google_iam_policy.transfer_job.policy_data}"
}
请注意,这会删除存储桶中存在的 OWNER 和 READER 中的 the default acls。这将阻止您在控制台中访问存储桶。因此,我们将 roles/storage.admin 添加回所有者用户和进行更改的 Terraform 服务帐户。
服务帐户的格式通常为 project-PROJECT_NUMBER@storage-transfer-service.iam.gserviceaccount.com。要查找您的服务帐户的格式,请使用 googleServiceAccounts.get API 调用。如果找不到,请使用上述约定分配以下角色(为我工作)
然后为其分配角色:
roles/storage.objectViewer
roles/storage.legacyBucketReader
roles/storage.legacyBucketWriter
我在 gcloud CLI 上登录了我的工作帐户。将身份验证更改为 gcloud auth login 有助于解决我的随机问题。
我正在尝试使用 Java 客户端将数据从 S3 传输到 GCS,但出现此错误。
Failed to obtain the location of the Google Cloud Storage (GCS) bucket ___ due to insufficient permissions. Please verify that the necessary permissions have been granted.
我正在使用具有项目所有者角色的服务帐户,该角色应该授予对所有项目资源的无限制访问权限。
Google 传输服务正在使用内部服务帐户来回移动数据。此帐户是自动创建的,不应与您自己创建的服务帐户混淆。
您需要授予此用户一个名为 "Legacy bucket writer" 的权限。
这在文档中有写,但很容易错过:
https://cloud.google.com/storage-transfer/docs/configure-access
感谢@thnee 的评论,我能够拼凑出一个 terraform 脚本,将权限添加到隐藏的存储传输服务帐户:
data "google_project" "project" {}
locals {
// the project number is also available from the Project Info section on the Dashboard
transfer_service_id = "project-${data.google_project.project.number}@storage-transfer-service.iam.gserviceaccount.com"
}
resource "google_storage_bucket" "backups" {
location = "us-west1"
name = "backups"
storage_class = "REGIONAL"
}
data "google_iam_policy" "transfer_job" {
binding {
role = "roles/storage.legacyBucketReader"
members = [
"serviceAccount:${local.transfer_service_id}",
]
}
binding {
role = "roles/storage.objectAdmin"
members = [
"serviceAccount:${local.transfer_service_id}",
]
}
binding {
role = "roles/storage.admin"
members = [
"user:<GCP console user>",
"serviceAccount:<terraform user doing updates>",
]
}
}
resource "google_storage_bucket_iam_policy" "policy" {
bucket = "${google_storage_bucket.backups.name}"
policy_data = "${data.google_iam_policy.transfer_job.policy_data}"
}
请注意,这会删除存储桶中存在的 OWNER 和 READER 中的 the default acls。这将阻止您在控制台中访问存储桶。因此,我们将 roles/storage.admin 添加回所有者用户和进行更改的 Terraform 服务帐户。
服务帐户的格式通常为 project-PROJECT_NUMBER@storage-transfer-service.iam.gserviceaccount.com。要查找您的服务帐户的格式,请使用 googleServiceAccounts.get API 调用。如果找不到,请使用上述约定分配以下角色(为我工作)
然后为其分配角色:
roles/storage.objectViewer
roles/storage.legacyBucketReader
roles/storage.legacyBucketWriter
我在 gcloud CLI 上登录了我的工作帐户。将身份验证更改为 gcloud auth login 有助于解决我的随机问题。