服务帐户没有对 Google Cloud Storage 的 storage.objects.get 访问权限
[英]service account does not have storage.objects.get access for Google Cloud Storage
问题描述
I have created a service account in Google Cloud Console and selected role Storage / Storage Admin (ie full control of GCS resources).
我在 Google Cloud Console 中创建了一个服务帐户并选择了角色Storage / Storage Admin (即对 GCS 资源的完全控制)。
gcloud projects get-iam-policy my_project seems to indicate that the role was actually selected: gcloud projects get-iam-policy my_project似乎表明该角色实际上已被选中:
- members:
- serviceAccount:my_sa@my_project.iam.gserviceaccount.com
role: roles/storage.admin
- members:
- serviceAccount:my_sa@my_project.iam.gserviceaccount.com
role: roles/storage.objectAdmin
- members:
- serviceAccount:my_sa@my_project.iam.gserviceaccount.com
role: roles/storage.objectCreator
And documentation clearly indicates that role roles/storage.admin comprises permissions storage.objects.* (as well as storage.buckets.* ). 文档清楚地表明角色roles/storage.admin包含权限storage.objects.* (以及storage.buckets.* )。
But when I try using that service account in conjunction with the Google Cloud Storage Client Library for Python, I receive this error message:但是,当我尝试将该服务帐户与 Python 的 Google Cloud Storage Client Library 结合使用时,我收到此错误消息:
my_sa@my_project.iam.gserviceaccount.com does not have storage.objects.get access to my_project/my_bucket.
So why would the selected role not be sufficient in this context?那么,为什么所选角色在这种情况下还不够呢?
7 个解决方案
解决方案1
23 已采纳 2018-07-19 03:41:41
The problem was apparently that the service account was associated with too many roles, perhaps as a results of previous configuration attempts.问题显然是服务帐户与太多角色相关联,这可能是先前配置尝试的结果。
These steps resolved the issue:这些步骤解决了这个问题:
- removed all (three) roles for the offending service account (member)
my_saunderIAM & Admin/IAM删除了IAM & Admin/IAM下有问题的服务帐户(成员)my_sa的所有(三个)角色 - deleted
my_saunderIAM & Admin/Service accounts删除了IAM & Admin/Service accounts下的my_sa - recreated
my_sa(again with roleStorage/Storage Admin)重新创建my_sa(再次使用角色Storage/Storage Admin)
Effects are like this:效果是这样的:
-
my_sashows up with one role (Storage Admin) underIAM & Admin/IAMmy_sa在IAM & Admin/IAM下显示一个角色 (Storage Admin) -
my_sashows up as member underStorage/Browser/my_bucket/Edit bucket permissionsmy_sa在Storage/Browser/my_bucket/Edit bucket permissions下显示为成员
解决方案2
16 2020-11-27 11:39:50
It's worth noting, that you need to wait up to a few minutes for permissions to be working in case you just assigned them.值得注意的是,如果您刚刚分配了权限,您最多需要等待几分钟才能正常工作。 At least that's what happened to me after:至少那是我之后发生的事情:
gcloud projects add-iam-policy-binding xxx --member
"serviceAccount:xxx@xxx.iam.gserviceaccount.com" --role "roles/storage.objectViewer"
解决方案3
12 2021-03-18 19:25:01
Go to your bucket's permissions section and open add permissions section for your bucket.转到您的存储桶的权限部分并为您的存储桶打开添加权限部分。 For example, insufficient service, which gcloud tells you, is;例如,gcloud 告诉您的服务不足是;
1234567890-compute@developer.gserviceaccount.com
Add this service as user then give these roles;将此服务添加为用户,然后赋予这些角色;
- Cloud Storage - Storage Admin云存储 - 存储管理员
- Cloud Storage - Storage Object Admin云存储 - 存储对象管理员
- Cloud Storage - Storage Object Creator云存储 - 存储对象创建者
Then you should have sufficient permissions to make changes on your bucket.然后,您应该有足够的权限对您的存储桶进行更改。
解决方案4
1 2021-10-27 12:14:27
I faced this problem when trying to check if a bucket already existed in my project before creating it and in my case it wasnt per say an issue of roles because my service account had a storage admin, storage object admin and creator roles but it turned out that the bucket name I was trying to check existed/create (from inside my python code) wasn't globally unique.我在创建项目之前尝试检查存储桶是否已经存在时遇到了这个问题,在我的情况下,这不是角色问题,因为我的服务帐户有存储管理员、存储对象管理员和创建者角色,但结果是我试图检查存在/创建的存储桶名称(从我的 python 代码中)不是全局唯一的。 When I changed the name of the bucket to something globally unique the error went away.当我将存储桶的名称更改为全局唯一的名称时,错误消失了。
解决方案5
0 2021-09-24 10:41:10
For me, it was because deployed with the "default-bucket" as parameter needed for the storage emulator.对我来说,这是因为使用"default-bucket"作为存储模拟器所需的参数进行部署。
admin.storage().bucket('default-bucket'); // do not deploy that
To fix it, I set the default bucket name at the initialization of the firebase admin.为了解决这个问题,我在 firebase 管理员初始化时设置了默认存储桶名称。
const admin = require('firebase-admin');
const config = process.env.FUNCTIONS_EMULATOR ? {
storageBucket: 'default-bucket',
} : {
storageBucket: 'YOUT_FIREBASE_STORAGE_BUCKET',
};
admin.initializeApp(config);
const bucket = admin.storage().bucket();
解决方案6
0 2022-06-30 07:22:55
I just realized this happens some times when you are just creating the Firebase/Firestore/Storage project by first time.我刚刚意识到,当您第一次创建 Firebase/Firestore/Storage 项目时,有时会发生这种情况。
If you got this error in your first installation/deploy/setup, just wait 1 minute and try again.如果您在第一次安装/部署/设置中遇到此错误,请等待 1 分钟,然后重试。 Seems like some delays in the Google Cloud deploys/serving are responsible of this.似乎谷歌云部署/服务中的一些延迟是造成这种情况的原因。
解决方案7
0 2022-09-11 08:57:40
I got this error when I copied a cloud function from another project because I forgot to update the storage bucket.当我从另一个项目复制云 function 时出现此错误,因为我忘记更新存储桶。 Silly mistake.愚蠢的错误。
admin.initializeApp({
storageBucket: "gs://*****.appspot.com",
});
解决方案8
0 2022-12-01 03:08:30
in my case, after the service account is created, interface returns error: "service account does not have storage.objects.get access for Google Cloud Storage".在我的例子中,创建服务帐户后,界面返回错误:“服务帐户没有 storage.objects.get 访问 Google Cloud Storage”。
But, When I tried again the next day, everything was fine:)但是,当我第二天再次尝试时,一切都很好:)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.