[英]How to grant service account access to a user account on google cloud
I have a problem with gcloud
command and spends a week how to fix.我在使用
gcloud
命令时遇到问题,花了一个星期的时间来修复。 When I ran gcloud command gcloud auth revoke
, I get the following error.当我运行 gcloud 命令
gcloud auth revoke
,出现以下错误。
WARNING: This command is using service account impersonation. All API calls will be executed as [xxx@gmail.com]. // xxx@gmail.com is my user account which is the owner of the project.
ERROR: (gcloud.iam.service-accounts.create) Failed to impersonate [xxx@gmail.com]. Make sure the account that's trying to impersonate it has access to the service account itself and the "roles/iam.serviceAccountTokenCreator" role.
To fix this, I created a service account which has "roles/iam.serviceAccountTokenCreator" role and grant the policy to xxx@gmail.com.为了解决这个问题,我创建了一个具有“roles/iam.serviceAccountTokenCreator”角色的服务帐户,并将策略授予 xxx@gmail.com。 But it it does not work.
但它不起作用。
The detailed error is below (ran the command with "--log-http").详细错误如下(使用“--log-http”运行命令)。
=======================
==== request start ====
uri: https://oauth2.googleapis.com/token
method: POST
== headers start ==
content-type: application/x-www-form-urlencoded
user-agent: google-cloud-sdk gcloud/310.0.0 command/gcloud.auth.revoke invocation-id/xxx environment/None environment-version/None interactive/True from-script/False python/2.7.16 term/xterm-256color (Macintosh; Intel Mac OS X 19.2.0)
== headers end ==
== body start ==
Body redacted: Contains oauth token. Set log_http_redact_token property to false to print the body of this request.
== body end ==
==== request end ====
---- response start ----
status: 200
-- headers start --
-content-encoding: gzip
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
cache-control: no-cache, no-store, max-age=0, must-revalidate
content-length: 1389
content-type: application/json; charset=utf-8
date: Sun, 22 Nov 2020 00:59:28 GMT
expires: Mon, 01 Jan 1990 00:00:00 GMT
pragma: no-cache
server: scaffolding on HTTPServer2
transfer-encoding: chunked
vary: Origin, X-Origin, Referer
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 0
-- headers end --
-- body start --
Body redacted: Contains oauth token. Set log_http_redact_token property to false to print the body of this response.
-- body end --
total round trip time (request+response): 0.207 secs
---- response end ----
----------------------
=======================
==== request start ====
uri: https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/xxx@gmail.com:generateAccessToken
method: POST
== headers start ==
Content-Type: application/json
authorization: Bearer xxx
user-agent: google-cloud-sdk gcloud/310.0.0 command/gcloud.auth.revoke invocation-id/xxx environment/None environment-version/None interactive/True from-script/False python/2.7.16 term/xterm-256color (Macintosh; Intel Mac OS X 19.2.0)
== headers end ==
== body start ==
Body redacted: Contains oauth token. Set log_http_redact_token property to false to print the body of this request.
== body end ==
==== request end ====
---- response start ----
status: 404
-- headers start --
-content-encoding: gzip
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
cache-control: private
content-length: 114
content-type: application/json; charset=UTF-8
date: Sun, 22 Nov 2020 00:59:28 GMT
server: ESF
transfer-encoding: chunked
vary: Origin, X-Origin, Referer
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 0
-- headers end --
-- body start --
Body redacted: Contains oauth token. Set log_http_redact_token property to false to print the body of this response.
-- body end --
total round trip time (request+response): 0.389 secs
---- response end ----
----------------------
Another thing it makes me confused is gcloud auth revoke
does not work, but gcloud auth login
and gcloud auth list
works without any errors.让我感到困惑的另一件事是
gcloud auth revoke
不起作用,但gcloud auth login
和gcloud auth list
可以正常工作,没有任何错误。
If anyone had faced this issue and knows how to solve this, I would like to know how.如果有人遇到过这个问题并知道如何解决这个问题,我想知道如何解决。 Thank you.
谢谢你。
I found that I set my user account as impersonated service account which does not make any sense.我发现我将我的用户帐户设置为模拟服务帐户,这没有任何意义。
After I ran gcloud config unset auth/impersonate_service_account
, it works as expected.在我运行
gcloud config unset auth/impersonate_service_account
,它按预期工作。 Thanks.谢谢。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.