[英]Permission error when setting IAM policy on Artifact Registry in GCP
I'm following this guide and getting stuck at step 3. When I run我正在遵循本指南并卡在第 3 步。当我运行时
gcloud artifacts repositories add-iam-policy-binding [myrepo] \
--location us \
--member=serviceAccount:build-robot@[myproject].iam.gserviceaccount.com \
--role=roles/artifactregistry.writer
I get PERMISSION_DENIED: The caller does not have permission
.我得到PERMISSION_DENIED: The caller does not have permission
。
gcloud is running as roles/Owner (myself) so I definitely have permission to perform the action. gcloud 作为角色/所有者(我自己)运行,所以我绝对有权执行该操作。
I can add a project binding for the service account with role roles/cloudbuild.builds.builder
, and this works (I can push and pull images from the artifact registry using the build-robot service account), but is far too permissive for what I want the service account to do.我可以使用角色roles/cloudbuild.builds.builder
为服务帐户添加项目绑定,这很有效(我可以使用 build-robot 服务帐户从工件注册表中推送和拉取图像),但是对于什么来说太宽容了我想要服务帐户来做。
Sometimes this error may happen due to the specified location in the --location
tag not being the correct one.有时,由于--location
标签中的指定位置不正确,可能会发生此错误。
Check that the artifact to which you're granting permissions is in US, as the tutorial you shared assumes you've created it in US, or otherwise change the location tag accordingly.检查您授予权限的工件是否在美国,因为您共享的教程假定您已在美国创建它,或者相应地更改位置标签。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.