如何向 google 云上的用户帐户授予服务帐户访问权限
How to grant service account access to a user account on google cloud
我在使用 gcloud
命令时遇到问题,花了一周的时间来解决。
当我 运行 gcloud 命令 gcloud auth revoke
时,出现以下错误。
WARNING: This command is using service account impersonation. All API calls will be executed as [xxx@gmail.com]. // xxx@gmail.com is my user account which is the owner of the project.
ERROR: (gcloud.iam.service-accounts.create) Failed to impersonate [xxx@gmail.com]. Make sure the account that's trying to impersonate it has access to the service account itself and the "roles/iam.serviceAccountTokenCreator" role.
为了解决这个问题,我创建了一个服务帐户,该帐户具有“roles/iam.serviceAccountTokenCreator”角色,并且将策略 g运行 发送到 xxx@gmail.com。但它不起作用。
详细错误如下(运行带有“--log-http”的命令)。
=======================
==== request start ====
uri: https://oauth2.googleapis.com/token
method: POST
== headers start ==
content-type: application/x-www-form-urlencoded
user-agent: google-cloud-sdk gcloud/310.0.0 command/gcloud.auth.revoke invocation-id/xxx environment/None environment-version/None interactive/True from-script/False python/2.7.16 term/xterm-256color (Macintosh; Intel Mac OS X 19.2.0)
== headers end ==
== body start ==
Body redacted: Contains oauth token. Set log_http_redact_token property to false to print the body of this request.
== body end ==
==== request end ====
---- response start ----
status: 200
-- headers start --
-content-encoding: gzip
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
cache-control: no-cache, no-store, max-age=0, must-revalidate
content-length: 1389
content-type: application/json; charset=utf-8
date: Sun, 22 Nov 2020 00:59:28 GMT
expires: Mon, 01 Jan 1990 00:00:00 GMT
pragma: no-cache
server: scaffolding on HTTPServer2
transfer-encoding: chunked
vary: Origin, X-Origin, Referer
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 0
-- headers end --
-- body start --
Body redacted: Contains oauth token. Set log_http_redact_token property to false to print the body of this response.
-- body end --
total round trip time (request+response): 0.207 secs
---- response end ----
----------------------
=======================
==== request start ====
uri: https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/xxx@gmail.com:generateAccessToken
method: POST
== headers start ==
Content-Type: application/json
authorization: Bearer xxx
user-agent: google-cloud-sdk gcloud/310.0.0 command/gcloud.auth.revoke invocation-id/xxx environment/None environment-version/None interactive/True from-script/False python/2.7.16 term/xterm-256color (Macintosh; Intel Mac OS X 19.2.0)
== headers end ==
== body start ==
Body redacted: Contains oauth token. Set log_http_redact_token property to false to print the body of this request.
== body end ==
==== request end ====
---- response start ----
status: 404
-- headers start --
-content-encoding: gzip
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
cache-control: private
content-length: 114
content-type: application/json; charset=UTF-8
date: Sun, 22 Nov 2020 00:59:28 GMT
server: ESF
transfer-encoding: chunked
vary: Origin, X-Origin, Referer
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 0
-- headers end --
-- body start --
Body redacted: Contains oauth token. Set log_http_redact_token property to false to print the body of this response.
-- body end --
total round trip time (request+response): 0.389 secs
---- response end ----
----------------------
另一件让我感到困惑的事情是 gcloud auth revoke
不起作用,但是 gcloud auth login
和 gcloud auth list
可以正常工作。
如果有人遇到过这个问题并且知道如何解决这个问题,我想知道如何解决。谢谢。
我发现我将我的用户帐户设置为模拟服务帐户,这没有任何意义。
在我运行gcloud config unset auth/impersonate_service_account
之后,它按预期工作。谢谢
我在使用 gcloud
命令时遇到问题,花了一周的时间来解决。
当我 运行 gcloud 命令 gcloud auth revoke
时,出现以下错误。
WARNING: This command is using service account impersonation. All API calls will be executed as [xxx@gmail.com]. // xxx@gmail.com is my user account which is the owner of the project.
ERROR: (gcloud.iam.service-accounts.create) Failed to impersonate [xxx@gmail.com]. Make sure the account that's trying to impersonate it has access to the service account itself and the "roles/iam.serviceAccountTokenCreator" role.
为了解决这个问题,我创建了一个服务帐户,该帐户具有“roles/iam.serviceAccountTokenCreator”角色,并且将策略 g运行 发送到 xxx@gmail.com。但它不起作用。
详细错误如下(运行带有“--log-http”的命令)。
=======================
==== request start ====
uri: https://oauth2.googleapis.com/token
method: POST
== headers start ==
content-type: application/x-www-form-urlencoded
user-agent: google-cloud-sdk gcloud/310.0.0 command/gcloud.auth.revoke invocation-id/xxx environment/None environment-version/None interactive/True from-script/False python/2.7.16 term/xterm-256color (Macintosh; Intel Mac OS X 19.2.0)
== headers end ==
== body start ==
Body redacted: Contains oauth token. Set log_http_redact_token property to false to print the body of this request.
== body end ==
==== request end ====
---- response start ----
status: 200
-- headers start --
-content-encoding: gzip
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
cache-control: no-cache, no-store, max-age=0, must-revalidate
content-length: 1389
content-type: application/json; charset=utf-8
date: Sun, 22 Nov 2020 00:59:28 GMT
expires: Mon, 01 Jan 1990 00:00:00 GMT
pragma: no-cache
server: scaffolding on HTTPServer2
transfer-encoding: chunked
vary: Origin, X-Origin, Referer
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 0
-- headers end --
-- body start --
Body redacted: Contains oauth token. Set log_http_redact_token property to false to print the body of this response.
-- body end --
total round trip time (request+response): 0.207 secs
---- response end ----
----------------------
=======================
==== request start ====
uri: https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/xxx@gmail.com:generateAccessToken
method: POST
== headers start ==
Content-Type: application/json
authorization: Bearer xxx
user-agent: google-cloud-sdk gcloud/310.0.0 command/gcloud.auth.revoke invocation-id/xxx environment/None environment-version/None interactive/True from-script/False python/2.7.16 term/xterm-256color (Macintosh; Intel Mac OS X 19.2.0)
== headers end ==
== body start ==
Body redacted: Contains oauth token. Set log_http_redact_token property to false to print the body of this request.
== body end ==
==== request end ====
---- response start ----
status: 404
-- headers start --
-content-encoding: gzip
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
cache-control: private
content-length: 114
content-type: application/json; charset=UTF-8
date: Sun, 22 Nov 2020 00:59:28 GMT
server: ESF
transfer-encoding: chunked
vary: Origin, X-Origin, Referer
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 0
-- headers end --
-- body start --
Body redacted: Contains oauth token. Set log_http_redact_token property to false to print the body of this response.
-- body end --
total round trip time (request+response): 0.389 secs
---- response end ----
----------------------
另一件让我感到困惑的事情是 gcloud auth revoke
不起作用,但是 gcloud auth login
和 gcloud auth list
可以正常工作。
如果有人遇到过这个问题并且知道如何解决这个问题,我想知道如何解决。谢谢。
我发现我将我的用户帐户设置为模拟服务帐户,这没有任何意义。
在我运行gcloud config unset auth/impersonate_service_account
之后,它按预期工作。谢谢