堆栈内存溢出
  简体   繁体   English

Google Cloud Platform 服务帐号未从组织自定义角色获得权限

[英]Google Cloud Platform service account not getting permissions from organisation custom role

 原文  2022-08-11 16:24:36       google-cloud-platform/ service-accounts/ google-iam

问题描述

I have the following service account我有以下服务帐户

my-sa@my-project.iam.gserviceaccount.com

Which seems to have the following custom role似乎具有以下自定义角色

▶ gcloud projects get-iam-policy my-project  \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:my-sa@my-project.iam.gserviceaccount.com.iam.gserviceaccount.com"
ROLE
organizations/123456789/roles/my_custom_role

This custom role has the following permissions此自定义角色具有以下权限

▶ gcloud iam roles describe my_custom_role --organization 123456789
description: My custom role
etag: kdkdkdkd=
includedPermissions:
- container.clusters.get
- container.clusters.list
- container.clusters.update
- container.nodes.delete
- container.nodes.list
- container.operations.get
- resourcemanager.projects.get
- resourcemanager.projects.list
name: organizations/123456789/roles/my_custom_role
stage: GA
title: my_custom_role-

However, when assuming this role (I create, download and login using a json private key)但是,当担任此角色时(我使用 json 私钥创建、下载和登录)

and listing projects, I cannot see all the organisation's projects but rather only the project the SA belongs to, although I should, given that并列出项目,我看不到该组织的所有项目,而只能看到 SA 所属的项目,尽管我应该,鉴于

  • the SA has an org level role SA 具有组织级别的角色
  • it has the resourcemanager.projects.get and resourcemanager.projects.list permissions它具有resourcemanager.projects.getresourcemanager.projects.list权限

Why is that?这是为什么?

2 个解决方案

解决方案1
 1  2022-08-11 16:28:25

You may need organization permissions too:您可能还需要组织权限:

https://cloud.google.com/resource-manager/reference/rest/v1beta1/organizations/list https://cloud.google.com/resource-manager/reference/rest/v1beta1/organizations/list

organizations.list

解决方案2
 1 已采纳  2022-08-11 16:30:59

To see other projects, you need a higher level permission on your org.要查看其他项目,您需要对您的组织具有更高级别的权限。

and listing projects, I cannot see all the organisation's projects but rather only the project the SA belongs to, although I should, given that并列出项目,我看不到该组织的所有项目,而只能看到 SA 所属的项目,尽管我应该,鉴于

This is expected, because the project can only control who sees this project.这是意料之中的,因为项目只能控制谁可以看到这个项目。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Google Cloud Platform 服务帐户密钥保留和客户端连接 - Google Cloud Platform Service Account Key retention and client connections 将数据上传到 BigQuery 的 Google Cloud Function 的服务帐户角色 - Service account role for a Google Cloud Function that uploads data to BigQuery 使用 Google Cloud Platform 服务帐户查询 GSuite Directory API - Query GSuite Directory API with a Google Cloud Platform service account Google Cloud Platform:有没有办法使用服务帐户密钥获取有关服务帐户创建者的信息 - Google Cloud Platform: Is there a way to get information about the creator of a service account, using the service account key 如何在 python 程序中定义我的 Google Cloud Platform 服务帐户的密钥? - How do I define my Google Cloud Platform service account's key in a python program? 如何使用 Terraform 在不同项目中为 Google Cloud 中的其他项目服务帐户添加 IAM 角色 - How can I add IAM role for other project service account in Google Cloud in different project using Terraform Azure 服务总线主题自定义角色权限 - Azure Service Bus topic custom role permissions 如何允许用户成为 Google Cloud Platform (GCP) 中服务帐户的参与者? - How can I allow a user to become an actor of a service account in Google Cloud Platform (GCP)? 我获得存储权限的服务帐户没有对 Google Cloud Storage 存储桶的 storage.objects.list 访问权限 - My service account which was given storage permissions does not have storage.objects.list access to the Google Cloud Storage bucket 谷歌云平台上的 MVC 5 和外部登录(使用谷歌帐户)返回 null - MVC 5 and External login (With Google account) on Google Cloud Platform return null
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM