堆栈内存溢出
  简体   繁体   English

尝试使用 REST API 公开对象时出现“访问被拒绝。提供的范围未被授权”错误

[英]"Access Denied. Provided scope(s) are not authorized" error when trying to make objects public using the REST API

 原文  2020-01-07 16:34:06       rest/ google-cloud-platform/ google-cloud-storage/ google-cloud-iam

问题描述

I am attempting to set permissions on individual objects in a Google Cloud Storage bucket to make them publicly viewable, following the steps indicated in Google's documentation .我正在尝试按照 Google 文档中指示的步骤对 Google Cloud Storage 存储桶中的单个对象设置权限以使其公开可见。 When I try to make these requests using our application service account, it fails with HTTP status 403 and the following message:当我尝试使用我们的应用程序服务帐户发出这些请求时,它失败并显示 HTTP 状态403和以下消息:

Access denied.拒绝访问。 Provided scope(s) are not authorized.提供的范围未经授权。

Other requests work fine.其他请求工作正常。 When I try to do the same thing but by providing a token for my personal account, the PUT request to the object's ACL works... about 50% of the time (the rest of the time it is a 503 error, which may or may not be related).当我尝试做同样的事情但通过为我的个人帐户提供令牌时,对对象的 ACL 的PUT请求工作......大约 50% 的时间(rest 的时间是503错误,这可能或可能没有关系)。

Changing the IAM policy for the service account to match mine - it normally has Storage Admin and some other incidental roles - doesn't help, even if I give it the overall Owner IAM role, which is what I have.更改服务帐户的 IAM 策略以匹配我的 - 它通常具有 Storage Admin 和一些其他附带角色 - 没有帮助,即使我赋予它整体所有者 IAM 角色,这就是我所拥有的。

Using neither the XML API nor the JSON version makes a difference.使用XML API 和JSON版本都没有区别。 That the request sometimes works with my personal credentials indicates to me that the request is not incorrectly formed, but there must be something else I've thus far overlooked.该请求有时会与我的个人凭据一起使用,这向我表明该请求的格式没有错误,但必须有其他我迄今为止忽略的东西。 Any ideas?有任何想法吗?

5 个解决方案

解决方案1
 0  2021-09-22 06:39:22

Check for the scope of the service account incase you are using the default compute engine service account.如果您使用的是默认计算引擎服务帐户,请检查服务帐户的范围。 By default the scope is restricted and for GCS it is read only.默认情况下,范围是受限的,对于 GCS,它是只读的。 Use rm -r ~/.gsutil to clear cache in case of clearing cache在清除缓存的情况下使用 rm -r ~/.gsutil 清除缓存

解决方案2
 0  2021-09-29 08:54:58

Follow the documentation you provided, taking into account these points:遵循您提供的文档,并考虑以下几点:

  • Access Control system for the bucket has to be Fine-grained (not uniform).桶的访问控制系统必须是细粒度的(不统一)。

  • In order to make objects publicly available, make sure the bucket does not have the public access prevention enabled.为了使对象公开可用,请确保存储桶未启用公共访问保护 Check this link for further information.检查此 链接以获取更多信息。

  • Grant the service account with the appropriate permissions in the bucket .在存储桶中授予服务帐户适当的权限。 The Storage Legacy Object Owner role ( roles/storage.legacyObjectOwner ) is needed to edit objects ACLs as indicated here .作为指定的保存遗产对象所有者的角色(角色/ storage.legacyObjectOwner)是需要编辑对象的ACL 这里 This role can be granted for individual buckets, not for projects.可以为单个存储桶而不是项目授予此角色。

  • Create the json file as indicated in the documentation.按照文档中的说明创建json文件。

  • Use gcloud auth application-default print-access-token to get authorization access token and use it in the API call.使用gcloud auth application-default print-access-token获取授权访问令牌并在 API 调用中使用它。 The API call should look like: API 调用应如下所示:

curl -X POST --data-binary @JSON_FILE_NAME.json \
  -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
  -H "Content-Type: application/json" \
  "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/o/OBJECT_NAME/acl"

解决方案3
 0  2021-11-20 23:20:02

You need to add OAuth scope: cloud-platform when you create the instance.创建实例时需要添加 OAuth scope: cloud-platform。 Look: https://cloud.google.com/sdk/gcloud/reference/compute/instances/create#--scopes看: https : //cloud.google.com/sdk/gcloud/reference/compute/instances/create#--scopes

Either select " Allow full access to all Cloud APIs " or select the fine-grained approach选择“允许完全访问所有云 API ”或选择细粒度的方法

解决方案4
 0  2021-12-05 12:12:25

When trying to access GCS from a GCE instance and getting this error message ...当尝试从 GCE 实例访问 GCS 并收到此错误消息时...
the default scope is devstorage.read_only , which prevents all write operations.默认范围devstorage.read_only ,它阻止所有写操作。

Not sure if scope https://www.googleapis.com/auth/cloud-platform is required, when scope https://www.googleapis.com/auth/devstorage.read_only is given by default (eg. to read startup scripts).不确定是否需要范围https://www.googleapis.com/auth/cloud-platform ,当范围https://www.googleapis.com/auth/devstorage.read_only默认给出时(例如,读取启动脚本)。 The scope should rather be: https://www.googleapis.com/auth/devstorage.read_write .范围应该是: https://www.googleapis.com/auth/devstorage.read_write

And one can use gcloud beta compute instances set-scopes to edit the scopes of an instance:并且可以使用gcloud beta compute instances set-scopes来编辑实例的范围:

gcloud beta compute instances set-scopes $INSTANCE_NAME \
  --project=$PROJECT_ID \
  --zone=$COMPUTE_ZONE \
  --scopes=https://www.googleapis.com/auth/devstorage.read_write \
  --service-account=$SERVICE_ACCOUNT

One can also pass all known alias names for scopes, eg: --scopes=cloud-platform .还可以传递范围的所有已知别名,例如: --scopes=cloud-platform The command must be run outside of the instance, because of permissions - and the instance must be shutdown, in order to change the service account.由于权限原因,该命令必须在实例之外运行 - 并且实例必须关闭,以便更改服务帐户。

解决方案5
 0  2022-03-25 09:35:49

So, years later, it turns out the problem is that "scope" is being used by the Google Cloud API to refer to two subtly different things.所以,多年后,事实证明问题是谷歌云 API 使用“范围”来指代两个微妙不同的事物。 One is the available permission scopes available to the service account, which is what I (and most of the other people who answered the question) kept focusing on, but the problem turned out to be something else.一个是服务帐户可用的可用权限范围,这是我(以及大多数其他回答该问题的人)一直关注的问题,但问题出在其他方面。 The Python class google.auth.credentials.Credentials , used by various Google Cloud client classes to authenticate, also has permission scopes used for OAuth. You see where this is going - the client I was using was being created with a default OAuth scope of 'https://www.googleapis.com/auth/devstorage.read_write' , but to make something public requires the scope 'https://www.googleapis.com/auth/devstorage.full_control' . Python class google.auth.credentials.Credentials ,被各种谷歌云客户端类用来进行身份验证,有用于 OAuth 的权限范围。你看这是怎么回事 - 我使用的客户端是用默认的 OAuth scope 创建的'https://www.googleapis.com/auth/devstorage.read_write' ,但要公开某些内容需要 scope 'https://www.googleapis.com/auth/devstorage.full_control' Adding this scope to the OAuth credential request means the setting public permissions on objects works.将此 scope 添加到 OAuth 凭据请求意味着设置对象的公共权限有效。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 尝试从 AWS Lambda 访问 S3 时访问被拒绝 - Access Denied when trying to access S3 from AWS Lambda Twilio 尝试使用 fetch 方法访问时抛出拒绝访问错误 - Twilio throws access denied error when trying to access by using fetch method 访问被拒绝。 检查凭据并重试 outlook API 和 microsoft graph - Access is denied. Check credentials and try again outlook API and microsoft graph 使用 CLI 使 S3 存储桶权限对“所有人”公开访问 - Make an S3 Bucket Permissions Public Access to 'Everyone' using CLI ##[错误]被拒绝:将 docker 图像推送到 AWS ECR 时未授权 - ##[error]denied: Not Authorized when pushing docker image to AWS ECR 如何解决 deploy serverless error: The provided access key is not authorized for this operation? - How do I solve the deploy serverless error : The provided access key is not authorized for this operation? HTTP 基本:访问被拒绝。 只为一个项目 - HTTP Basic: Access denied. for only one project 使用 cloudformation 模板向公众授予对 s3 存储桶对象的读取和查看权限 - give public read and view access to s3 bucket objects using cloudformation template 使用亚马逊 s3 客户端列出 object 时访问被拒绝 - Access Denied when listing object using amazon s3 client 尝试访问公共 API 网关时出现“缺少身份验证令牌”错误消息 - "Missing Authentication Token" error message, while trying to access public API gateway
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM