原因:com.google.api.client.googleapis.json.GoogleJsonResponseException: 412 Precondition Failed while removing bucket IAM Member

Caused by: com.google.api.client.googleapis.json.GoogleJsonResponseException: 412 Precondition Failed while removing bucket IAM Member

为了从 google 云存储桶中删除身份,我使用了 GCP 示例存储库中提供的示例:here。我想知道我是否遗漏了什么,我有正确的云帐户根凭据以及项目所有权凭据。

政策原文如下:

Policy{
bindings={roles/storage.legacyBucketOwner=[projectOwner:myaccount], 
roles/storage.objectAdmin=[serviceAccount:company-kiehn- 
log@myaccount.iam.gserviceaccount.com, serviceAccount:company-hammes- 
file@myaccount.iam.gserviceaccount.com, serviceAccount:company-howe- 
log@myaccount.iam.gserviceaccount.com, serviceAccount:company-doyle- 
log@myaccount.iam.gserviceaccount.com, serviceAccount:customer-6a53ee71-95eb- 
49b2-8a@myaccount.iam.gserviceaccount.com, serviceAccount:company-kiehn- 
file@myaccount.iam.gserviceaccount.com, serviceAccount:company-howe- 
file@myaccount.iam.gserviceaccount.com, serviceAccount:company-satterfield- 
log@myaccount.iam.gserviceaccount.com, serviceAccount:customer-0c1e8536-8bf5- 
46f4-8e@myaccount.iam.gserviceaccount.com, serviceAccount:company-deckow- 
log@myaccount.iam.gserviceaccount.com], 
roles/storage.legacyBucketReader=[projectViewer:myaccount], 
roles/storage.objectViewer=[serviceAccount:company-block- 
log@myaccount.iam.gserviceaccount.com]},
etag=CGg=,
version=0}

这是我的代码片段:

读取存储桶策略并提取不需要的身份

Set<Identity> wrongIdentities = new HashSet<Identity>();
Role roler = null;    
Policy p = Cache.GCSStorage.getIamPolicy("bucketxyz");
Map<Role, Set<Identity>> policyBindings = p.getBindings();
        for (Map.Entry<Role, Set<Identity>> entry : policyBindings.entrySet()) {
Set<Identity> setidentities = entry.getValue();
                for (Identity set : setidentities) {
                    if (!(entry.getKey().getValue()
                            .equals("serviceAccount:attss@myaccount.iam.gserviceaccount.com"))) {

                        wrongIdentities.add(set);
                    }
 }
for (Identity identity : wrongIdentities) {

            System.out.println("identity: " + identity);
            System.out.println(removeBucketIamMember("bucektxyz",
                    roler, identity, p));
        }
}

从策略中删除不需要的身份

public static Policy removeBucketIamMember(String bucketName, Role role, 
Identity identity, Policy policy) {
Policy updatedPolicy = Cache.GCSStorage.setIamPolicy(bucketName,
policy.toBuilder().removeIdentity(role, identity).build());
return updatedPolicy;

但是,我看到了错误:

Caused by: com.google.api.client.googleapis.json.GoogleJsonResponseException: 412 
Precondition Failed
{
   "code" : 412,
   "errors" : [ {
   "domain" : "global",
   "location" : "If-Match",
   "locationType" : "header",
   "message" : "Precondition Failed",
   "reason" : "conditionNotMet"
 } ],
   "message" : "Precondition Failed"
 }

at com.google.api.client.googleapis.json.GoogleJsonResponseException.from(GoogleJsonResponseException.java:146)
at com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:113)
at com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:40)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.interceptResponse(AbstractGoogleClientRequest.java:321)
at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1065)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:419)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:352)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:469)
at com.google.cloud.storage.spi.v1.HttpStorageRpc.setIamPolicy(HttpStorageRpc.java:886)
... 9 more

修改 Cloud Storage 存储桶或对象 IAM 策略时,请务必先阅读该策略。作为策略内容的一部分是一个标签。更新后的政策必须包含相同的标签。标签看起来像:etag=CGg=.

在这个问题中,政策更新失败,出现 HTTP 错误 412 先决条件失败。此消息是由于策略标记不正确引起的。由于策略更新会替换现有策略,因此此标记有助于防止两个更新相互覆盖。