使用服务帐户访问Google Container构建器日志 - 403 Forbidden Error
[英]Access Google Container builder logs with a service account - 403 Forbidden Error
问题描述
I have a service account that triggers builds on Google Container Builder. 
我有一个服务帐户,可以在Google Container Builder上触发构建。 This works fine but now I would like to retrieve build logs using that service account. 这工作正常,但现在我想使用该服务帐户检索构建日志。
Here is the code that fetches the log (the token is obtained using google-auto-auth package and this part works well in other places, so I really don't think this is the issue): 这是获取日志的代码(使用google-auto-auth包获取令牌,这部分在其他地方运行良好,所以我真的不认为这是问题):
var url = logsBucket + '/log-' + buildId + '.txt';
debug('Requesting log at %s', url);
request
.get(url)
.set('Authorization', 'Bearer ' + token)
.end(function(err, res) {
if (err) return cb(err);
var log = res.body;
debug('Received build log : %o', log);
cb(null, log);
});
Currently, this fails with 401 Unauthorized although the service account has access to the following roles: 目前,尽管服务帐户可以访问以下角色,但401 Unauthorized已失败:
- Admin kubernetes engine Admin kubernetes引擎
- Admin storage 管理存储
- Admin objects in storage 存储中的管理对象
- Cloud container builder 云容器生成器
- Reader Cloud container builder Reader Cloud容器构建器
- Reader storage objects 读者存储对象
This is the error: 这是错误:
{
"message": "Forbidden",
"stack": "Error: Forbidden\n at Request.callback (/app/node_modules/superagent/lib/node/index.js:696:15)\n [...]",
"status": 403,
"response": {
"req": {
"method": "GET",
"url": "https://storage.googleapis.com/{PROJECT_ID}.cloudbuild-logs.googleusercontent.com/log-42602b35-af02-4e75-8100-8a3bd0e720fb.txt",
"headers": {
"user-agent": "node-superagent/3.8.2",
"authorization": "Bearer {BEARER_TOKEN}"
}
},
"header": {
"x-guploader-uploadid": "{SOME-UPLOAD-ID}",
"content-type": "application/xml; charset=UTF-8",
"content-length": "337",
"date": "Wed, 10 Jan 2018 11:06:54 GMT",
"expires": "Wed, 10 Jan 2018 11:06:54 GMT",
"cache-control": "private, max-age=0",
"server": "UploadServer",
"alt-svc": "...",
"connection": "close"
},
"status": 403
}
}
Any idea why the request fails with 403 ? 知道为什么请求失败了403? Could it come from a missing scope ? 它可能来自缺失的范围吗? I only set scopes: 'https://www.googleapis.com/auth/cloud-platform' so far. 我只设置了scopes: 'https://www.googleapis.com/auth/cloud-platform'到目前为止。
1 个解决方案
解决方案1
8 已采纳 2018-01-13 11:27:28
GCS permissions predate IAM and thus work a little differently. GCS权限早于IAM,因此工作方式略有不同。
To view the build logs, the Service Account in question needs to be a Viewer on the project in addition to have the Builder Editor role. 要查看构建日志,有问题的服务帐户除了具有Builder Editor角色外,还需要是项目的Viewer 。
-
role/viewerincludes rolerole/cloudbuild.builds.viewerrole/viewer包括角色role/cloudbuild.builds.viewer -
role/cloudbuild.builds.editor
As a last step you may want to: (Not necessary) 作为最后一步,您可能希望:(不必要)
- Disable the Container Builder API and re-enable it. 禁用 Container Builder API并重新启用它。 Doing so should give your service account access to your project again. 这样做可以让您的服务帐户再次访问您的项目。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.