无法在新 GCE 虚拟机上列出服务帐户
[英]Cannot list service accounts on new GCE VM
问题描述
I created a new VM in a google compute engine project.
我在一个谷歌计算引擎项目中创建了一个新的虚拟机。 I changed the "Compute Engine" access scope to "Read Write" after creating the VM.创建 VM 后,我将“计算引擎”访问 scope 更改为“读写”。
On the existing (long-running) VM, if I do:在现有的(长期运行的)VM 上,如果我这样做:
gcloud iam service-accounts list
I see the default service account for the project.我看到了该项目的默认服务帐户。
However, if I do the same thing on the newly created VM, I get an error:但是,如果我在新创建的 VM 上执行相同的操作,则会收到错误消息:
gcloud iam service-accounts list
ERROR: (gcloud.iam.service-accounts.list) User [<service-account>] does not have permission to access projects instance [<project>] (or it may not exist): Request had insufficient authentication scopes.
The original VM is a ubuntu-16, the new VM is ubuntu-18 freshly created from a google image.原始 VM 是 ubuntu-16,新 VM 是从 google 映像新创建的 ubuntu-18。
If I look at the project IAM roles, my user has the following roles:如果我查看项目 IAM 角色,我的用户具有以下角色:
- Access Approval Config Editor
- Compute Admin
- Role Viewer
- Service Account Admin
- Owner
- Organization Administrator
What am I missing?我错过了什么? The access scopes for the two VMs are the same:两个虚拟机的访问范围是一样的:
- Compute Engine Read Write
- Service Control Enabled
- Service Management Read Only
- Stackdriver Logging API Write Only
- Stackdriver Monitoring API Write Only
- Stackdriver Trace Write Only
- Storage Read Only
What controls access for the individual VMs other than the access scopes?除了访问范围之外,还有什么控制单个 VM 的访问?
2 个解决方案
解决方案1
0 2020-11-28 04:27:44
The problem was the SSH window was running under the service account, not my normal user account.问题是 SSH window 在服务帐户下运行,而不是我的普通用户帐户。 I needed to run我需要跑步
gcloud init
to reconfigure to use my regular account.重新配置以使用我的常规帐户。
I discovered this by doing我通过这样做发现了这一点
gcloud config list
on both machines.在两台机器上。
解决方案2
0 2020-11-28 21:25:41
PART 1第1部分
What controls access for the individual VMs other than the access scopes?
The union of Compute Engine Scopes and service account permissions. Compute Engine 范围和服务帐号权限的结合。
Google Compute Engine scopes limit permissions, scopes do not grant permissions. Google Compute Engine 范围限制权限,范围不授予权限。
The service account assigned to Compute Engine determines the permissions/roles that are available.分配给 Compute Engine 的服务帐号决定了可用的权限/角色。 Scopes can limit those permissions granted to the service account.范围可以限制授予服务帐户的权限。 Scopes cannot grant permissions that the service account does not already have.范围不能授予服务帐户尚未拥有的权限。
Scopes are a legacy authorization mechanism.范围是一种遗留的授权机制。
PART 2第2部分
gcloud iam service-accounts list ERROR: (gcloud.iam.service-accounts.list) User [] does not have permission to access projects instance [] (or it may not exist): Request had insufficient authentication scopes.
Part of this message is confusing to most people.这条信息的一部分让大多数人感到困惑。 Scopes are a legacy authentication mechanism that Google used before IAM.范围是 Google 在 IAM 之前使用的旧式身份验证机制。 Scopes are similar to permissions and in this message mean OAuth 2 Permissions .范围类似于权限,在此消息中表示OAuth 2 Permissions 。
The command gcloud iam service-accounts list requires the permission iam.serviceAccounts.list which is present in roles such as roles/iam.serviceAccountUser named Service Account User .命令gcloud iam service-accounts list需要权限iam.serviceAccounts.list ,该权限存在于角色中,例如名为Service Account User的roles/iam.serviceAccountUser 。 The service account mentioned in the error does not have one of the roles granting the permission to list service accounts or the Scopes are limiting a permission granted to the service account.错误中提到的服务帐户没有授予列出服务帐户权限的角色之一,或者范围正在限制授予服务帐户的权限。 Read my recommendation at the end.最后阅读我的建议。
Part 3第 3 部分
If I look at the project IAM roles, my user has the following roles:
The roles assigned to the user are not related to the roles assigned to the Compute Engine service account.分配给用户的角色与分配给 Compute Engine 服务帐号的角色无关。
If you logged into Compute Engine using SSH and did not do anything else to authenticate then you are using Compute Engine Default Service Account credentials.如果您使用 SSH 登录 Compute Engine 并且没有执行任何其他操作来进行身份验证,那么您使用的是 Compute Engine 默认服务帐户凭据。 Service Account and Scopes affect your permissions.服务帐户和范围会影响您的权限。
If you logged into Compute Engine using SSH and you use your own account for authentication ( gcloud auth login or similar) then your user identity is using the the permissions granted to your user account and not the Compute Engine Default service account credentials.如果您使用 SSH 登录 Compute Engine 并使用自己的帐户进行身份验证( gcloud auth login或类似帐户),那么您的用户身份使用的是授予您的用户帐户的权限,而不是 Compute Engine 默认服务帐户凭据。
Part 4第 4 部分
The original VM is a ubuntu-16, the new VM is ubuntu-18 freshly created from a google image.
If the scopes are the same for both VMs, then your issue is the service account.如果两个 VM 的范围相同,那么您的问题是服务帐户。 Normally Compute Engine VMs use the Compute Engine Default Service Account.通常 Compute Engine 虚拟机使用 Compute Engine 默认服务帐号。 You can change which service account is assigned to each VM.您可以更改分配给每个 VM 的服务帐户。 Double check what is assigned to each VM.仔细检查分配给每个 VM 的内容。
Summary概括
I recommend that you set the scopes to Allow full access to all Cloud APIs and control the permissions via roles granted to the service account.我建议您将范围设置为Allow full access to all Cloud APIs ,并通过授予服务帐户的角色控制权限。 Do not use roles such as Project Owner or Project Editor .不要使用Project Owner或Project Editor等角色。 Those roles are very powerful.这些角色非常强大。 Use fine grained permissions for each Google Cloud service that Compute Engine needs to access.对 Compute Engine 需要访问的每个 Google Cloud 服务使用细粒度的权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.