在 GCP 中对 Artifact Registry 设置 IAM 政策时出现权限错误
[英]Permission error when setting IAM policy on Artifact Registry in GCP
问题描述
I'm following this guide and getting stuck at step 3. When I run
我正在遵循本指南并卡在第 3 步。当我运行时
gcloud artifacts repositories add-iam-policy-binding [myrepo] \
--location us \
--member=serviceAccount:build-robot@[myproject].iam.gserviceaccount.com \
--role=roles/artifactregistry.writer
I get PERMISSION_DENIED: The caller does not have permission .我得到PERMISSION_DENIED: The caller does not have permission 。
gcloud is running as roles/Owner (myself) so I definitely have permission to perform the action. gcloud 作为角色/所有者(我自己)运行,所以我绝对有权执行该操作。
I can add a project binding for the service account with role roles/cloudbuild.builds.builder , and this works (I can push and pull images from the artifact registry using the build-robot service account), but is far too permissive for what I want the service account to do.我可以使用角色roles/cloudbuild.builds.builder为服务帐户添加项目绑定,这很有效(我可以使用 build-robot 服务帐户从工件注册表中推送和拉取图像),但是对于什么来说太宽容了我想要服务帐户来做。
1 个解决方案
解决方案1
2 已采纳 2021-03-29 14:49:45
Sometimes this error may happen due to the specified location in the --location tag not being the correct one.有时,由于--location标签中的指定位置不正确,可能会发生此错误。
Check that the artifact to which you're granting permissions is in US, as the tutorial you shared assumes you've created it in US, or otherwise change the location tag accordingly.检查您授予权限的工件是否在美国,因为您共享的教程假定您已在美国创建它,或者相应地更改位置标签。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.