[英]Google Cloud Platform service account not getting permissions from organisation custom role
I have the following service account我有以下服务帐户
my-sa@my-project.iam.gserviceaccount.com
Which seems to have the following custom role似乎具有以下自定义角色
▶ gcloud projects get-iam-policy my-project \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:my-sa@my-project.iam.gserviceaccount.com.iam.gserviceaccount.com"
ROLE
organizations/123456789/roles/my_custom_role
This custom role has the following permissions此自定义角色具有以下权限
▶ gcloud iam roles describe my_custom_role --organization 123456789
description: My custom role
etag: kdkdkdkd=
includedPermissions:
- container.clusters.get
- container.clusters.list
- container.clusters.update
- container.nodes.delete
- container.nodes.list
- container.operations.get
- resourcemanager.projects.get
- resourcemanager.projects.list
name: organizations/123456789/roles/my_custom_role
stage: GA
title: my_custom_role-
However, when assuming this role (I create, download and login using a json private key)但是,当担任此角色时(我使用 json 私钥创建、下载和登录)
and listing projects, I cannot see all the organisation's projects but rather only the project the SA belongs to, although I should, given that并列出项目,我看不到该组织的所有项目,而只能看到 SA 所属的项目,尽管我应该,鉴于
resourcemanager.projects.get
and resourcemanager.projects.list
permissions它具有resourcemanager.projects.get
和resourcemanager.projects.list
权限Why is that?这是为什么?
You may need organization permissions too:您可能还需要组织权限:
https://cloud.google.com/resource-manager/reference/rest/v1beta1/organizations/list https://cloud.google.com/resource-manager/reference/rest/v1beta1/organizations/list
organizations.list
To see other projects, you need a higher level permission on your org.要查看其他项目,您需要对您的组织具有更高级别的权限。
and listing projects, I cannot see all the organisation's projects but rather only the project the SA belongs to, although I should, given that并列出项目,我看不到该组织的所有项目,而只能看到 SA 所属的项目,尽管我应该,鉴于
This is expected, because the project can only control who sees this project.这是意料之中的,因为项目只能控制谁可以看到这个项目。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.