托管服务帐户在添加 ObjectAccessControl 时没有足够的权限
Managed Service Account does not have enough permissions while adding ObjectAcessControl
尝试在部署管理器上添加对象控制访问:
- type: storage.v1.objectAccessControl
name: url-access
properties:
role: READER
bucket: "bucket"
object: "object"
entity: "email"
我收到这个错误:
ERROR: (gcloud.deployment-manager.deployments.update) Error in Operation [operation-1574856490078-59852d9a9d256-4d665591-d57c3ea1]: errors:
- code: RESOURCE_ERROR
location: /deployments/.../resources/user-access
message: '{
"ResourceType": "storage.v1.objectAccessControl",
"ResourceErrorCode": "403",
"ResourceErrorMessage": {
"code": 403,
"errors": [
{
"domain": "global",
"message": "MANAGED_SA@cloudservices.gserviceaccount.com does not have storage.objects.get access to bucket/file.",
"reason": "forbidden"
}
],
"message": "MANAGED_SA@cloudservices.gserviceaccount.com does not have storage.objects.get access to bucket/file.",
"statusMessage": "Forbidden",
"requestPath": "https://www.googleapis.com/storage/v1/b/bucket/o/file/acl",
"httpMethod": "POST",
"suggestion": "Consider granting permissions to MANAGED_SA@cloudservices.gserviceaccount.com"
}
}'
奇怪的事实:默认情况下,MANAGED-SA 对项目具有编辑访问权限。即使设置了 Owner Access,我仍然收到此消息
只需为服务帐户添加角色`MANAGED_SA@cloudservices.gserviceaccount.com: "Storage Object Admin"。查看器不够
尝试在部署管理器上添加对象控制访问:
- type: storage.v1.objectAccessControl
name: url-access
properties:
role: READER
bucket: "bucket"
object: "object"
entity: "email"
我收到这个错误:
ERROR: (gcloud.deployment-manager.deployments.update) Error in Operation [operation-1574856490078-59852d9a9d256-4d665591-d57c3ea1]: errors:
- code: RESOURCE_ERROR
location: /deployments/.../resources/user-access
message: '{
"ResourceType": "storage.v1.objectAccessControl",
"ResourceErrorCode": "403",
"ResourceErrorMessage": {
"code": 403,
"errors": [
{
"domain": "global",
"message": "MANAGED_SA@cloudservices.gserviceaccount.com does not have storage.objects.get access to bucket/file.",
"reason": "forbidden"
}
],
"message": "MANAGED_SA@cloudservices.gserviceaccount.com does not have storage.objects.get access to bucket/file.",
"statusMessage": "Forbidden",
"requestPath": "https://www.googleapis.com/storage/v1/b/bucket/o/file/acl",
"httpMethod": "POST",
"suggestion": "Consider granting permissions to MANAGED_SA@cloudservices.gserviceaccount.com"
}
}'
奇怪的事实:默认情况下,MANAGED-SA 对项目具有编辑访问权限。即使设置了 Owner Access,我仍然收到此消息
只需为服务帐户添加角色`MANAGED_SA@cloudservices.gserviceaccount.com: "Storage Object Admin"。查看器不够