[英]Getting an error when trying to use set iam policy method in gcp to update cloud storage policy using python?
Getting an error when trying to add encrypter decrypter role to the bucket service account.尝试将加密器解密器角色添加到存储桶服务帐户时出错。 Below is the code.. Any idea what's missing?
下面是代码..知道缺少什么吗?
storage_client = storage.Client(credentials=credentials)
sa_name = storage_client.get_service_account_email("project name")
print(sa_name)
bucket = storage_client.get_bucket("bucket name")
policy = bucket.get_iam_policy(requested_policy_version=3)
policy.version = 3
policy.bindings.append({
"role": "roles/cloudkms.cryptoKeyEncrypterDecrypter",
"members": {"serviceAccount:{}".format(sa_name)}
})
bucket.set_iam_policy(policy)
**Error:** google.api_core.exceptions.BadRequest: 400 PUT https://storage.googleapis.com/storage/v1/b/bucketname/iam?prettyPrint=false: Role roles/cloudkms.cryptoKeyEncrypterDecrypter is not supported for this resource.
The error message XYZ is not supported for this resource means that you are trying to grant a permission (role) to a resource that does not use that permission or does not provide a resource, such as a KMS key, upon which that permission can be granted.错误消息XYZ is not supported for this resource表示您正在尝试向不使用该权限或不提供该权限的资源(例如 KMS 密钥)授予权限(角色)的确。
In your question you are trying to grant the permission roles/cloudkms.cryptoKeyEncrypterDecrypter to a Google Cloud Storage bucket .在您的问题中,您尝试将权限roles/cloudkms.cryptoKeyEncrypterDecrypter授予 Google Cloud Storage bucket 。 You have the logic reversed, you would modify a KMS resource policy, such as a key instead of a bucket resource policy.
您将逻辑颠倒过来,您将修改 KMS 资源策略,例如密钥而不是存储桶资源策略。 Refer to the following link for more details on binding to a KMS resource:
有关绑定到 KMS 资源的更多详细信息,请参阅以下链接:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.