[英]"Access Denied. Provided scope(s) are not authorized" error when trying to make objects public using the REST API
I am attempting to set permissions on individual objects in a Google Cloud Storage bucket to make them publicly viewable, following the steps indicated in Google's documentation .我正在尝试按照 Google 文档中指示的步骤对 Google Cloud Storage 存储桶中的单个对象设置权限以使其公开可见。 When I try to make these requests using our application service account, it fails with HTTP status
403
and the following message:当我尝试使用我们的应用程序服务帐户发出这些请求时,它失败并显示 HTTP 状态
403
和以下消息:
Access denied.
拒绝访问。 Provided scope(s) are not authorized.
提供的范围未经授权。
Other requests work fine.其他请求工作正常。 When I try to do the same thing but by providing a token for my personal account, the
PUT
request to the object's ACL works... about 50% of the time (the rest of the time it is a 503
error, which may or may not be related).当我尝试做同样的事情但通过为我的个人帐户提供令牌时,对对象的 ACL 的
PUT
请求工作......大约 50% 的时间(rest 的时间是503
错误,这可能或可能没有关系)。
Changing the IAM policy for the service account to match mine - it normally has Storage Admin and some other incidental roles - doesn't help, even if I give it the overall Owner IAM role, which is what I have.更改服务帐户的 IAM 策略以匹配我的 - 它通常具有 Storage Admin 和一些其他附带角色 - 没有帮助,即使我赋予它整体所有者 IAM 角色,这就是我所拥有的。
Using neither the XML
API nor the JSON
version makes a difference.使用
XML
API 和JSON
版本都没有区别。 That the request sometimes works with my personal credentials indicates to me that the request is not incorrectly formed, but there must be something else I've thus far overlooked.该请求有时会与我的个人凭据一起使用,这向我表明该请求的格式没有错误,但必须有其他我迄今为止忽略的东西。 Any ideas?
有任何想法吗?
Check for the scope of the service account incase you are using the default compute engine service account.如果您使用的是默认计算引擎服务帐户,请检查服务帐户的范围。 By default the scope is restricted and for GCS it is read only.
默认情况下,范围是受限的,对于 GCS,它是只读的。 Use rm -r ~/.gsutil to clear cache in case of clearing cache
在清除缓存的情况下使用 rm -r ~/.gsutil 清除缓存
Follow the documentation you provided, taking into account these points:遵循您提供的文档,并考虑以下几点:
Access Control system for the bucket has to be Fine-grained (not uniform).桶的访问控制系统必须是细粒度的(不统一)。
In order to make objects publicly available, make sure the bucket does not have the public access prevention enabled.为了使对象公开可用,请确保存储桶未启用公共访问保护。 Check this link for further information.
检查此 链接以获取更多信息。
Grant the service account with the appropriate permissions in the bucket .在存储桶中授予服务帐户适当的权限。 The Storage Legacy Object Owner role ( roles/storage.legacyObjectOwner ) is needed to edit objects ACLs as indicated here .
作为指定的保存遗产对象所有者的角色(角色/ storage.legacyObjectOwner)是需要编辑对象的ACL 这里。 This role can be granted for individual buckets, not for projects.
可以为单个存储桶而不是项目授予此角色。
Create the json
file as indicated in the documentation.按照文档中的说明创建
json
文件。
Use gcloud auth application-default print-access-token
to get authorization access token and use it in the API call.使用
gcloud auth application-default print-access-token
获取授权访问令牌并在 API 调用中使用它。 The API call should look like: API 调用应如下所示:
curl -X POST --data-binary @JSON_FILE_NAME.json \
-H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
-H "Content-Type: application/json" \
"https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/o/OBJECT_NAME/acl"
You need to add OAuth scope: cloud-platform when you create the instance.创建实例时需要添加 OAuth scope: cloud-platform。 Look: https://cloud.google.com/sdk/gcloud/reference/compute/instances/create#--scopes
看: https : //cloud.google.com/sdk/gcloud/reference/compute/instances/create#--scopes
Either select " Allow full access to all Cloud APIs " or select the fine-grained approach选择“允许完全访问所有云 API ”或选择细粒度的方法
When trying to access GCS from a GCE instance and getting this error message ...当尝试从 GCE 实例访问 GCS 并收到此错误消息时...
the default scope is devstorage.read_only
, which prevents all write operations.默认范围是
devstorage.read_only
,它阻止所有写操作。
Not sure if scope https://www.googleapis.com/auth/cloud-platform
is required, when scope https://www.googleapis.com/auth/devstorage.read_only
is given by default (eg. to read startup scripts).不确定是否需要范围
https://www.googleapis.com/auth/cloud-platform
,当范围https://www.googleapis.com/auth/devstorage.read_only
默认给出时(例如,读取启动脚本)。 The scope should rather be: https://www.googleapis.com/auth/devstorage.read_write
.范围应该是:
https://www.googleapis.com/auth/devstorage.read_write
。
And one can use gcloud beta compute instances set-scopes
to edit the scopes of an instance:并且可以使用
gcloud beta compute instances set-scopes
来编辑实例的范围:
gcloud beta compute instances set-scopes $INSTANCE_NAME \
--project=$PROJECT_ID \
--zone=$COMPUTE_ZONE \
--scopes=https://www.googleapis.com/auth/devstorage.read_write \
--service-account=$SERVICE_ACCOUNT
One can also pass all known alias names for scopes, eg: --scopes=cloud-platform
.还可以传递范围的所有已知别名,例如:
--scopes=cloud-platform
。 The command must be run outside of the instance, because of permissions - and the instance must be shutdown, in order to change the service account.由于权限原因,该命令必须在实例之外运行 - 并且实例必须关闭,以便更改服务帐户。
So, years later, it turns out the problem is that "scope" is being used by the Google Cloud API to refer to two subtly different things.所以,多年后,事实证明问题是谷歌云 API 使用“范围”来指代两个微妙不同的事物。 One is the available permission scopes available to the service account, which is what I (and most of the other people who answered the question) kept focusing on, but the problem turned out to be something else.
一个是服务帐户可用的可用权限范围,这是我(以及大多数其他回答该问题的人)一直关注的问题,但问题出在其他方面。 The Python class
google.auth.credentials.Credentials
, used by various Google Cloud client classes to authenticate, also has permission scopes used for OAuth. You see where this is going - the client I was using was being created with a default OAuth scope of 'https://www.googleapis.com/auth/devstorage.read_write'
, but to make something public requires the scope 'https://www.googleapis.com/auth/devstorage.full_control'
. Python class
google.auth.credentials.Credentials
,被各种谷歌云客户端类用来进行身份验证,也有用于 OAuth 的权限范围。你看这是怎么回事 - 我使用的客户端是用默认的 OAuth scope 创建的'https://www.googleapis.com/auth/devstorage.read_write'
,但要公开某些内容需要 scope 'https://www.googleapis.com/auth/devstorage.full_control'
。 Adding this scope to the OAuth credential request means the setting public permissions on objects works.将此 scope 添加到 OAuth 凭据请求意味着设置对象的公共权限有效。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.