具有组织查看者角色的服务帐户无法执行任何操作

Service account with org viewer role not able to perform any actions

我创建了一个具有组织查看器权限的 GCP 服务帐户(因此我假设在所有项目中都具有读取权限)

▶ gcloud organizations get-iam-policy 83838383838383 --flatten="bindings[].members" --format='table(bindings.role)' --filter="bindings.members:my-sa@my-project-id.iam.gserviceaccount.com"
ROLE
roles/resourcemanager.organizationViewer

然后我在本地激活这个

▶ gcloud auth activate-service-account my-sa@my-project-id.iam.gserviceaccount.com --key-file=keyfile.json
Activated service account credentials for: [my-sa@my-project-id.iam.gserviceaccount.com]

然后尝试执行 compute disk list(在创建 SA 的同一个项目上)

▶ gcloud compute disks list
ERROR: (gcloud.compute.disks.list) Some requests did not succeed:
 - Required 'compute.disks.list' permission for 'projects/my-project-id'

这是为什么?

错误消息表明服务帐户没有权限 compute.disks.list

角色 roles/resourcemanager.organizationViewer 有什么权限?

gcloud iam roles describe roles/resourcemanager.organizationViewer --format=json

注意角色只有一个权限resourcemanager.organizations.get

{
  "description": "Access only to view an Organization.",
  "etag": "AA==",
  "includedPermissions": [
    "resourcemanager.organizations.get"
  ],
  "name": "roles/resourcemanager.organizationViewer",
  "stage": "GA",
  "title": "Organization Viewer"
}

该权限允许查看组织详细信息,但不能查看组织的资源。