[英]service account does not have storage.objects.get access for Google Cloud Storage
I have created a service account in Google Cloud Console and selected role Storage
/ Storage Admin
(ie full control of GCS resources).我在 Google Cloud Console 中创建了一个服务帐户并选择了角色Storage
/ Storage Admin
(即对 GCS 资源的完全控制)。
gcloud projects get-iam-policy my_project
seems to indicate that the role was actually selected: gcloud projects get-iam-policy my_project
似乎表明该角色实际上已被选中:
- members:
- serviceAccount:my_sa@my_project.iam.gserviceaccount.com
role: roles/storage.admin
- members:
- serviceAccount:my_sa@my_project.iam.gserviceaccount.com
role: roles/storage.objectAdmin
- members:
- serviceAccount:my_sa@my_project.iam.gserviceaccount.com
role: roles/storage.objectCreator
And documentation clearly indicates that role roles/storage.admin
comprises permissions storage.objects.*
(as well as storage.buckets.*
). 文档清楚地表明角色roles/storage.admin
包含权限storage.objects.*
(以及storage.buckets.*
)。
But when I try using that service account in conjunction with the Google Cloud Storage Client Library for Python, I receive this error message:但是,当我尝试将该服务帐户与 Python 的 Google Cloud Storage Client Library 结合使用时,我收到此错误消息:
my_sa@my_project.iam.gserviceaccount.com does not have storage.objects.get access to my_project/my_bucket. my_sa@my_project.iam.gserviceaccount.com 没有 storage.objects.get 访问 my_project/my_bucket。
So why would the selected role not be sufficient in this context?那么,为什么所选角色在这种情况下还不够呢?
The problem was apparently that the service account was associated with too many roles, perhaps as a results of previous configuration attempts.问题显然是服务帐户与太多角色相关联,这可能是先前配置尝试的结果。
These steps resolved the issue:这些步骤解决了这个问题:
my_sa
under IAM & Admin
/ IAM
删除了IAM & Admin
/ IAM
下有问题的服务帐户(成员) my_sa
的所有(三个)角色my_sa
under IAM & Admin
/ Service accounts
删除了IAM & Admin
/ Service accounts
下的my_sa
my_sa
(again with role Storage
/ Storage Admin
)重新创建my_sa
(再次使用角色Storage
/ Storage Admin
)Effects are like this:效果是这样的:
my_sa
shows up with one role ( Storage Admin
) under IAM & Admin
/ IAM
my_sa
在IAM & Admin
/ IAM
下显示一个角色 ( Storage Admin
)my_sa
shows up as member under Storage
/ Browser
/ my_bucket
/ Edit bucket permissions
my_sa
在Storage
/ Browser
/ my_bucket
/ Edit bucket permissions
下显示为成员It's worth noting, that you need to wait up to a few minutes for permissions to be working in case you just assigned them.值得注意的是,如果您刚刚分配了权限,您最多需要等待几分钟才能正常工作。 At least that's what happened to me after:至少那是我之后发生的事情:
gcloud projects add-iam-policy-binding xxx --member
"serviceAccount:xxx@xxx.iam.gserviceaccount.com" --role "roles/storage.objectViewer"
Go to your bucket's permissions section and open add permissions section for your bucket.转到您的存储桶的权限部分并为您的存储桶打开添加权限部分。 For example, insufficient service, which gcloud tells you, is;例如,gcloud 告诉您的服务不足是;
1234567890-compute@developer.gserviceaccount.com
Add this service as user then give these roles;将此服务添加为用户,然后赋予这些角色;
Then you should have sufficient permissions to make changes on your bucket.然后,您应该有足够的权限对您的存储桶进行更改。
I faced this problem when trying to check if a bucket already existed in my project before creating it and in my case it wasnt per say an issue of roles because my service account had a storage admin, storage object admin and creator roles but it turned out that the bucket name I was trying to check existed/create (from inside my python code) wasn't globally unique.我在创建项目之前尝试检查存储桶是否已经存在时遇到了这个问题,在我的情况下,这不是角色问题,因为我的服务帐户有存储管理员、存储对象管理员和创建者角色,但结果是我试图检查存在/创建的存储桶名称(从我的 python 代码中)不是全局唯一的。 When I changed the name of the bucket to something globally unique the error went away.当我将存储桶的名称更改为全局唯一的名称时,错误消失了。
For me, it was because deployed with the "default-bucket"
as parameter needed for the storage emulator.对我来说,这是因为使用"default-bucket"
作为存储模拟器所需的参数进行部署。
admin.storage().bucket('default-bucket'); // do not deploy that
To fix it, I set the default bucket name at the initialization of the firebase admin.为了解决这个问题,我在 firebase 管理员初始化时设置了默认存储桶名称。
const admin = require('firebase-admin');
const config = process.env.FUNCTIONS_EMULATOR ? {
storageBucket: 'default-bucket',
} : {
storageBucket: 'YOUT_FIREBASE_STORAGE_BUCKET',
};
admin.initializeApp(config);
const bucket = admin.storage().bucket();
I just realized this happens some times when you are just creating the Firebase/Firestore/Storage project by first time.我刚刚意识到,当您第一次创建 Firebase/Firestore/Storage 项目时,有时会发生这种情况。
If you got this error in your first installation/deploy/setup, just wait 1 minute and try again.如果您在第一次安装/部署/设置中遇到此错误,请等待 1 分钟,然后重试。 Seems like some delays in the Google Cloud deploys/serving are responsible of this.似乎谷歌云部署/服务中的一些延迟是造成这种情况的原因。
I got this error when I copied a cloud function from another project because I forgot to update the storage bucket.当我从另一个项目复制云 function 时出现此错误,因为我忘记更新存储桶。 Silly mistake.愚蠢的错误。
admin.initializeApp({
storageBucket: "gs://*****.appspot.com",
});
in my case, after the service account is created, interface returns error: "service account does not have storage.objects.get access for Google Cloud Storage".在我的例子中,创建服务帐户后,界面返回错误:“服务帐户没有 storage.objects.get 访问 Google Cloud Storage”。
But, When I tried again the next day, everything was fine:)但是,当我第二天再次尝试时,一切都很好:)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.