堆栈内存溢出
  简体   繁体   English

如何授予服务帐户访问 Google Cloud 上的用户帐户的权限

[英]How to grant service account access to a user account on google cloud

 原文  2020-11-22 01:06:34       google-cloud-platform/ gcloud/ google-iam

问题描述

I have a problem with gcloud command and spends a week how to fix.我在使用gcloud命令时遇到问题,花了一个星期的时间来修复。 When I ran gcloud command gcloud auth revoke , I get the following error.当我运行 gcloud 命令gcloud auth revoke ,出现以下错误。

WARNING: This command is using service account impersonation. All API calls will be executed as [xxx@gmail.com]. // xxx@gmail.com is my user account which is the owner of the project.
ERROR: (gcloud.iam.service-accounts.create) Failed to impersonate [xxx@gmail.com]. Make sure the account that's trying to impersonate it has access to the service account itself and the "roles/iam.serviceAccountTokenCreator" role.

To fix this, I created a service account which has "roles/iam.serviceAccountTokenCreator" role and grant the policy to xxx@gmail.com.为了解决这个问题,我创建了一个具有“roles/iam.serviceAccountTokenCreator”角色的服务帐户,并将策略授予 xxx@gmail.com。 But it it does not work.但它不起作用。

The detailed error is below (ran the command with "--log-http").详细错误如下(使用“--log-http”运行命令)。

=======================
==== request start ====
uri: https://oauth2.googleapis.com/token
method: POST
== headers start ==
content-type: application/x-www-form-urlencoded
user-agent: google-cloud-sdk gcloud/310.0.0 command/gcloud.auth.revoke invocation-id/xxx environment/None environment-version/None interactive/True from-script/False python/2.7.16 term/xterm-256color (Macintosh; Intel Mac OS X 19.2.0)
== headers end ==
== body start ==
Body redacted: Contains oauth token. Set log_http_redact_token property to false to print the body of this request.
== body end ==
==== request end ====
---- response start ----
status: 200
-- headers start --
-content-encoding: gzip
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
cache-control: no-cache, no-store, max-age=0, must-revalidate
content-length: 1389
content-type: application/json; charset=utf-8
date: Sun, 22 Nov 2020 00:59:28 GMT
expires: Mon, 01 Jan 1990 00:00:00 GMT
pragma: no-cache
server: scaffolding on HTTPServer2
transfer-encoding: chunked
vary: Origin, X-Origin, Referer
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 0
-- headers end --
-- body start --
Body redacted: Contains oauth token. Set log_http_redact_token property to false to print the body of this response.
-- body end --
total round trip time (request+response): 0.207 secs
---- response end ----
----------------------
=======================
==== request start ====
uri: https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/xxx@gmail.com:generateAccessToken
method: POST
== headers start ==
Content-Type: application/json
authorization: Bearer xxx
user-agent: google-cloud-sdk gcloud/310.0.0 command/gcloud.auth.revoke invocation-id/xxx environment/None environment-version/None interactive/True from-script/False python/2.7.16 term/xterm-256color (Macintosh; Intel Mac OS X 19.2.0)
== headers end ==
== body start ==
Body redacted: Contains oauth token. Set log_http_redact_token property to false to print the body of this request.
== body end ==
==== request end ====
---- response start ----
status: 404
-- headers start --
-content-encoding: gzip
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
cache-control: private
content-length: 114
content-type: application/json; charset=UTF-8
date: Sun, 22 Nov 2020 00:59:28 GMT
server: ESF
transfer-encoding: chunked
vary: Origin, X-Origin, Referer
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 0
-- headers end --
-- body start --
Body redacted: Contains oauth token. Set log_http_redact_token property to false to print the body of this response.
-- body end --
total round trip time (request+response): 0.389 secs
---- response end ----
----------------------

Another thing it makes me confused is gcloud auth revoke does not work, but gcloud auth login and gcloud auth list works without any errors.让我感到困惑的另一件事是gcloud auth revoke不起作用,但gcloud auth logingcloud auth list可以正常工作,没有任何错误。

If anyone had faced this issue and knows how to solve this, I would like to know how.如果有人遇到过这个问题并知道如何解决这个问题,我想知道如何解决。 Thank you.谢谢你。

1 个解决方案

解决方案1
 1 已采纳  2020-11-22 01:40:25

I found that I set my user account as impersonated service account which does not make any sense.我发现我将我的用户帐户设置为模拟服务帐户,这没有任何意义。

After I ran gcloud config unset auth/impersonate_service_account , it works as expected.在我运行gcloud config unset auth/impersonate_service_account ,它按预期工作。 Thanks.谢谢。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何授予数据存储访问服务帐户的权限? - How to grant datastore access to a service account? 如何在没有密钥文件的情况下授予 Cloud Run 服务访问服务帐号凭据的权限? - How can I grant a Cloud Run service access to service account's credentials without the key file? 如何仅授予服务帐户对一个存储桶(Google Cloud)的访问权限? - How to give service account only access to one bucket (Google Cloud)? Google Cloud - 如何在应用程序代码中对用户而不是服务帐户进行身份验证? - Google Cloud - How to authenticate USER instead of a service account in app code? Google Cloud:如何列出用户或服务帐户的授予权限? - Google Cloud: How to list granted permission for user or service account? Google云服务帐户VS. 最终用户帐户 - Google Cloud Service Account VS. End User Account 无法访问 Cloud 中的 Google Cloud Storage 服务帐户密钥文件 - Unable to access Google Cloud Storage service account key file in Cloud GCP-IAM - 如何授予对组织中所有服务帐户的访问权限? - GCP-IAM - How to grant access to all service account in organization? 在 GCP 上,如何授予对另一个项目中服务帐户的访问权限? - On GCP, how to grant access to a service account in another project? google cloud run service运行时访问service account ID - Access service account ID at runtime of google cloud run service
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM