发布订阅主题的 setIamPolicy(在资源级别而不是项目级别)
setIamPolicy for pubsub topics (at the resource level not project)
我正在使用 Deployment Manager 设置 现有 pub/sub 主题的 IAM 策略 - 我不想获取它,也无法创建它部署管理器(因为它存在)。所以我想对现有资源设置策略
我可以用 buckets 做到这一点,但文档很混乱,我找不到正确的 buckets 方法
我想为主题而不是存储桶执行此操作(资源级绑定):
resources:
- name: mybucket
action: gcp-types/storage-v1:storage.buckets.setIamPolicy
properties:
bucket: mybucket
bindings:
- role: roles/storage.admin
members:
- "serviceAccount:sdfsfds@sdfsdf.com"
我只能找到 gcp-types/pubsub-v1:projects.topics.setIamPolicy 这似乎是项目级别的?什么是针对特定主题设置 IAM 策略的正确 api?
google API 在这里似乎不一致 - 这些方法是否也等效?文档令人困惑:
https://cloud.google.com/storage/docs/json_api/v1/buckets/setIamPolicy
https://cloud.google.com/pubsub/docs/reference/rest/v1/projects.topics/setIamPolicy
我试过了,但出现错误:
- name: mytopic
action: gcp-types/pubsub-v1:pubsub.projects.topics.setIamPolicy
properties:
resource: mytopic
bindings:
- role: roles/pubsub.admin
members:
- "serviceAccount:ssdfsdf@sdfsdf.com"
获取错误:
message: '{"ResourceType":"gcp-types/pubsub-v1:pubsub.projects.topics.setIamPolicy","ResourceErrorCode":"400","ResourceErrorMessage":{"code":400,"message":"Invalid
JSON payload received. Unknown name \"bindings\": Cannot find field.","status":"INVALID_ARGUMENT","details":[{"@type":"type.googleapis.com/google.rpc.BadRequest","fieldViolations":[{"description":"Invalid
JSON payload received. Unknown name \"bindings\": Cannot find field."}]}],"statusMessage":"Bad
Request","requestPath":"https://pubsub.googleapis.com/v1/projects/myproject/topics/mytopic:setIamPolicy","httpMethod":"POST"}}
当我尝试 projects.topics.setIamPolicy 我得到:
- code: COLLECTION_NOT_FOUND
message: Collection 'projects.topics.setIamPolicy' not found in discovery doc 'https://pubsub.googleapis.com/$discovery/rest?version=v1'
pubsub-v1:projects.topics.setIamPolicy is at the topic level and the https://iam.googleapis.com/v1/{resource=projects/*/serviceAccounts/*}:setIamPolicy是在项目级别设置Pub/Sub或其他资源。
你得到这些错误是因为你给了 Pub/Sub 管理员,这是项目级别的角色。您可以提供的示例 roles 是:
- roles/viewer
- roles/editor
- roles/owner
我了解到您正在尝试部署一个主题,该主题的 IAM 策略只允许一个服务帐户访问一个主题。如果这是您使用的环境,则必须使用 yaml 文件和 python 文件。
在 python file 中,您将使用方法 "set_iam_policy" 为主题设置 IAM,该方法接受 2 个参数,策略和主题路径:
client = pubsub_v1.PublisherClient()
topic_path = client.topic_path(project, topic_name)
policy = client.get_iam_policy(topic_path)
# Add all users as viewers.
policy.bindings.add(
role='roles/pubsub.viewer',
members=['allUsers'])
# Add a group as a publisher.
policy.bindings.add(
role='roles/pubsub.publisher',
members=['group:cloud-logs@google.com'])
# Set the policy
policy = client.set_iam_policy(topic_path, policy)
print('IAM policy for topic {} set: {}'.format(
topic_name, policy))
imports:
- path: templates/pubsub/pubsub.py
name: pubsub.py
resources:
- name: test-pubsub
type: pubsub.py
properties:
topic: test-topic
accessControl:
- role: roles/pubsub.subscriber
members:
- user:demo@user.com
subscriptions:
- name: first-subscription
accessControl:
- role: roles/pubsub.subscriber
members:
- user:demo@user.com
- name: second-subscription
ackDeadlineSeconds: 15
我正在使用 Deployment Manager 设置 现有 pub/sub 主题的 IAM 策略 - 我不想获取它,也无法创建它部署管理器(因为它存在)。所以我想对现有资源设置策略
我可以用 buckets 做到这一点,但文档很混乱,我找不到正确的 buckets 方法
我想为主题而不是存储桶执行此操作(资源级绑定):
resources:
- name: mybucket
action: gcp-types/storage-v1:storage.buckets.setIamPolicy
properties:
bucket: mybucket
bindings:
- role: roles/storage.admin
members:
- "serviceAccount:sdfsfds@sdfsdf.com"
我只能找到 gcp-types/pubsub-v1:projects.topics.setIamPolicy 这似乎是项目级别的?什么是针对特定主题设置 IAM 策略的正确 api?
google API 在这里似乎不一致 - 这些方法是否也等效?文档令人困惑: https://cloud.google.com/storage/docs/json_api/v1/buckets/setIamPolicy https://cloud.google.com/pubsub/docs/reference/rest/v1/projects.topics/setIamPolicy
我试过了,但出现错误:
- name: mytopic
action: gcp-types/pubsub-v1:pubsub.projects.topics.setIamPolicy
properties:
resource: mytopic
bindings:
- role: roles/pubsub.admin
members:
- "serviceAccount:ssdfsdf@sdfsdf.com"
获取错误:
message: '{"ResourceType":"gcp-types/pubsub-v1:pubsub.projects.topics.setIamPolicy","ResourceErrorCode":"400","ResourceErrorMessage":{"code":400,"message":"Invalid
JSON payload received. Unknown name \"bindings\": Cannot find field.","status":"INVALID_ARGUMENT","details":[{"@type":"type.googleapis.com/google.rpc.BadRequest","fieldViolations":[{"description":"Invalid
JSON payload received. Unknown name \"bindings\": Cannot find field."}]}],"statusMessage":"Bad
Request","requestPath":"https://pubsub.googleapis.com/v1/projects/myproject/topics/mytopic:setIamPolicy","httpMethod":"POST"}}
当我尝试 projects.topics.setIamPolicy 我得到:
- code: COLLECTION_NOT_FOUND
message: Collection 'projects.topics.setIamPolicy' not found in discovery doc 'https://pubsub.googleapis.com/$discovery/rest?version=v1'
pubsub-v1:projects.topics.setIamPolicy is at the topic level and the https://iam.googleapis.com/v1/{resource=projects/*/serviceAccounts/*}:setIamPolicy是在项目级别设置Pub/Sub或其他资源。
你得到这些错误是因为你给了 Pub/Sub 管理员,这是项目级别的角色。您可以提供的示例 roles 是:
- roles/viewer
- roles/editor
- roles/owner
我了解到您正在尝试部署一个主题,该主题的 IAM 策略只允许一个服务帐户访问一个主题。如果这是您使用的环境,则必须使用 yaml 文件和 python 文件。
在 python file 中,您将使用方法 "set_iam_policy" 为主题设置 IAM,该方法接受 2 个参数,策略和主题路径:
client = pubsub_v1.PublisherClient()
topic_path = client.topic_path(project, topic_name)
policy = client.get_iam_policy(topic_path)
# Add all users as viewers.
policy.bindings.add(
role='roles/pubsub.viewer',
members=['allUsers'])
# Add a group as a publisher.
policy.bindings.add(
role='roles/pubsub.publisher',
members=['group:cloud-logs@google.com'])
# Set the policy
policy = client.set_iam_policy(topic_path, policy)
print('IAM policy for topic {} set: {}'.format(
topic_name, policy))
imports:
- path: templates/pubsub/pubsub.py
name: pubsub.py
resources:
- name: test-pubsub
type: pubsub.py
properties:
topic: test-topic
accessControl:
- role: roles/pubsub.subscriber
members:
- user:demo@user.com
subscriptions:
- name: first-subscription
accessControl:
- role: roles/pubsub.subscriber
members:
- user:demo@user.com
- name: second-subscription
ackDeadlineSeconds: 15