简体繁体 English

创建 GCP 负载均衡器时拒绝访问存储桶

[英]Access Denied to Bucket while creating a GCP Load Balancer

原文 2022-02-18 15:51:34 1 3 google-cloud-platform/ google-cloud-storage/ load-balancing

I am getting the following error while creating and configuring a Load Balancer in GCP.在 GCP 中创建和配置负载均衡器时出现以下错误。 The issue seems to be related to the creation of the Backend bucket due that i am receiving the following error:该问题似乎与后端存储桶的创建有关，因为我收到以下错误：

Access denied to the Cloud Storage bucket '[NAME of THE Bucket].拒绝访问 Cloud Storage 存储分区“[存储分区的名称]。

The bucket has allUser access permission for public access and is configured as a web site.该bucket拥有allUser access权限，配置为web站点。

Can anyone help me?谁能帮我？

3 个解决方案

The problem was that i was trying to configure a HTTPS Load Balancer meanwhile i had already configured a HTTP Load balancer with a redirection rule to HTTPS.问题是我试图配置一个 HTTPS 负载均衡器，同时我已经配置了一个 HTTP 负载均衡器，其重定向规则为 HTTPS。

I solved the issue deleting the rule from the HTTP Load Balancer before creating the HTTPS Load Balancer.在创建 HTTPS 负载均衡器之前，我解决了从 HTTP 负载均衡器删除规则的问题。 After creating succesfully the Load balancer i configured again the HTTP load balancer to redirect the traffic to HTTPS.成功创建负载均衡器后，我再次配置了 HTTP 负载均衡器，以将流量重定向到 HTTPS。

Both load balancer where using the same IP to redirect the traffic but for different protocols (HTTP and HTTPS)两个负载均衡器都使用相同的 IP 来重定向流量，但使用不同的协议（HTTP 和 HTTPS）

Load balancer 1: HTTP://IP:80 -> HTTPS://IP:443负载均衡器 1：HTTP://IP:80 -> HTTPS://IP:443
Load balancer 2: HTTPS://IP:443 -> Backend Bucket负载均衡器 2：HTTPS://IP:443 -> 后端存储桶

First of all, please confirm that the current setting is the required one and that it was correctly set up by checking that the credentials are correct: ie, if you are using gsutil , check that the credentials stored in your .boto file are accurate.首先，请确认当前设置是必需的，并且通过检查凭据是否正确来正确设置：即，如果您使用的是gsutil ，请检查存储在.boto文件中的凭据是否准确。 Also, confirm that gsutil is using the .boto file you expect by using the command gsutil version -l and checking the config path(s) entry.此外，通过使用命令gsutil version -l并检查config path(s)条目，确认 gsutil 正在使用您期望的.boto文件。

If the credentials are correct, then verify if your requests are being routed through a proxy, using HTTP (instead of HTTPS ).如果凭据正确，则使用HTTP （而不是HTTPS ）验证您的请求是否通过代理进行路由。 If so, check whether your proxy is configured to remove the Authorization header from such requests.如果是这样，请检查您的代理是否配置为从此类请求中删除授权 header。 If so, make sure you are using HTTPS instead of HTTP for your requests.如果是这样，请确保您使用HTTPS而不是HTTP来满足您的请求。

Finally, go to the console and click on "Set bucket permissions" in the bucket's menu.最后，将 go 到控制台并单击存储桶菜单中的“设置存储桶权限” 。 Enter "allUsers" in Add Members, and assign Role -> Storage -> Storage Object Viewer .在 Add Members 中输入“allUsers” ，然后分配Role -> Storage -> Storage Object Viewer 。

Or, if you prefer to use gsutil , running gsutil -m acl set -R -a public-read gs://bucket should set access on all files in that bucket to the public.或者，如果您更喜欢使用gsutil ，运行gsutil -m acl set -R -a public-read gs://bucket应该将该存储桶中所有文件的访问权限设置为公共。 To set default permissions on the bucket in order to make those files public by default when they're added, use gsutil defacl set public-read gs://bucket .要在存储桶上设置默认权限，以便在添加这些文件时默认公开这些文件，请使用gsutil defacl set public-read gs://bucket 。

You can use the following GCP's Official Documentation and the following thread as a reference.您可以使用以下GCP 的官方文档和以下线程作为参考。

To anybody else experiencing this, it may also be the case that your account is missing the necessary permissions.对于遇到这种情况的其他人，也可能是您的帐户缺少必要的权限。

Ensure that in your Projec IAM, your account has the following permissions:确保在您的 Projec IAM 中，您的账户具有以下权限：

Compute Network Admin计算网络管理员
Storage Object Admin存储 Object 管理员

Both of those permissions must be enabled.必须启用这两个权限。 This is true regardless of the other roles you have been assigned.无论您分配了何种其他角色，这都是正确的。 In other words, it is not enough to be the project Owner.换句话说，仅仅成为项目所有者是不够的。 These two permissions must be added separately.这两个权限必须单独添加。