具有组织查看者角色的服务帐户无法执行任何操作
Service account with org viewer role not able to perform any actions
我创建了一个具有组织查看器权限的 GCP 服务帐户(因此我假设在所有项目中都具有读取权限)
▶ gcloud organizations get-iam-policy 83838383838383 --flatten="bindings[].members" --format='table(bindings.role)' --filter="bindings.members:my-sa@my-project-id.iam.gserviceaccount.com"
ROLE
roles/resourcemanager.organizationViewer
然后我在本地激活这个
▶ gcloud auth activate-service-account my-sa@my-project-id.iam.gserviceaccount.com --key-file=keyfile.json
Activated service account credentials for: [my-sa@my-project-id.iam.gserviceaccount.com]
然后尝试执行 compute disk list
(在创建 SA 的同一个项目上)
▶ gcloud compute disks list
ERROR: (gcloud.compute.disks.list) Some requests did not succeed:
- Required 'compute.disks.list' permission for 'projects/my-project-id'
这是为什么?
错误消息表明服务帐户没有权限 compute.disks.list
。
角色 roles/resourcemanager.organizationViewer
有什么权限?
gcloud iam roles describe roles/resourcemanager.organizationViewer --format=json
注意角色只有一个权限resourcemanager.organizations.get
{
"description": "Access only to view an Organization.",
"etag": "AA==",
"includedPermissions": [
"resourcemanager.organizations.get"
],
"name": "roles/resourcemanager.organizationViewer",
"stage": "GA",
"title": "Organization Viewer"
}
该权限允许查看组织详细信息,但不能查看组织的资源。
我创建了一个具有组织查看器权限的 GCP 服务帐户(因此我假设在所有项目中都具有读取权限)
▶ gcloud organizations get-iam-policy 83838383838383 --flatten="bindings[].members" --format='table(bindings.role)' --filter="bindings.members:my-sa@my-project-id.iam.gserviceaccount.com"
ROLE
roles/resourcemanager.organizationViewer
然后我在本地激活这个
▶ gcloud auth activate-service-account my-sa@my-project-id.iam.gserviceaccount.com --key-file=keyfile.json
Activated service account credentials for: [my-sa@my-project-id.iam.gserviceaccount.com]
然后尝试执行 compute disk list
(在创建 SA 的同一个项目上)
▶ gcloud compute disks list
ERROR: (gcloud.compute.disks.list) Some requests did not succeed:
- Required 'compute.disks.list' permission for 'projects/my-project-id'
这是为什么?
错误消息表明服务帐户没有权限 compute.disks.list
。
角色 roles/resourcemanager.organizationViewer
有什么权限?
gcloud iam roles describe roles/resourcemanager.organizationViewer --format=json
注意角色只有一个权限resourcemanager.organizations.get
{
"description": "Access only to view an Organization.",
"etag": "AA==",
"includedPermissions": [
"resourcemanager.organizations.get"
],
"name": "roles/resourcemanager.organizationViewer",
"stage": "GA",
"title": "Organization Viewer"
}
该权限允许查看组织详细信息,但不能查看组织的资源。