[英](GCP, Terraform) Error creating service account: googleapi: Error 403: Permission iam.serviceAccounts.create is required to perform this operation on
[英]403: Permission iam.serviceAccounts.create is required to perform this operation on project projects/xyz
我正在尝试使用 Google Cloud api 创建一个 ServiceAccount。 我是代表用户进行身份验证的 Oauth 客户端。 我正在使用正确的范围。 我仍然收到错误
403: Permission iam.serviceAccounts.create is required to perform this operation on project projects\/xyz<\/code> 。
这段代码以前可以工作。 我看到新文档也提到了这一点; https:\/\/cloud.google.com\/iam\/reference\/rest\/v1\/projects.serviceAccounts\/create<\/a>
我的问题是我做错了什么。 我该如何解决这个问题?
这真的很旧,但对于其他人来说,这可能是由于之前的尝试失败造成的。 这个错误仍然存在,即使是一年后,之前失败的尝试似乎传播了这个错误。 如果您更改服务帐户的名称,它通常可以工作。
要允许用户管理Service Accounts ,请授予以下角色之一:
roles/iam.serviceAccountUser
):授予获取、列出或模拟服务帐户的权限。roles/iam.serviceAccountAdmin
):包括服务帐户用户权限,还授予在服务帐户上创建、更新、删除以及设置或获取 Cloud IAM 政策的权限。 根据问题,要创建服务帐户,至少必须授予用户服务帐户管理员角色 ( roles/iam.serviceAccountAdmin
) 或Editor原始角色 ( roles/editor
)。
由于您尚未提供代码,请执行以下操作。
GOOGLE_APPLICATION_CREDENTIALS
。就我而言,问题在于我使用的是项目编号而不是项目 ID。 奇怪的是,我能够创建许多资源(虚拟机、DNS、网络……); 这仅在创建服务帐户时才成为问题。
就像你说的,同样的代码更早工作。 这意味着有人撤销了用于创建新服务帐户的该用户的某些角色/权限。
您可以查看分配给您的用户的所有角色。 您可以添加具有iam.serviceAccounts.create
权限的适当角色,或者您也可以创建一个自定义角色,手动向其添加此权限,然后将其分配给用户。
1.安装Windows版GoogleCloud SDK 2.成功提供凭据后,您可以在C:\\Users"yourusername"\\AppData\\Roaming\\gcloud\\legacy_credentials"yourmail"\\adc.json 位置签入。 您可以在那里找到以 JSON 格式存储的凭据 3.Create project GoogleCloud 2.Create ServiceAccount
using System;
using System.Threading.Tasks;
using Google.Apis.Auth.OAuth2;
using Google.Apis.CloudResourceManager.v1;
using Google.Apis.Services;
using Data = Google.Apis.CloudResourceManager.v1.Data;
using Google.Apis.Iam.v1;
using Google.Apis.Iam.v1.Data;
using System.Threading;
namespace CloudResourceManager
{
public class Program
{
private const string projectId = "notificatgfions-sample";
private const string applicationName = "tespopety-gamannnjeta";
private static IamService _service;
public static void Main(string[] args)
{
CreateProject();
CreateServiceAccount(projectId, applicationName,
"Testytytoppwner");
}
public static void CreateServiceAccount(string projectId,
string name, string displayName)
{
CancellationToken canTok = new CancellationToken();
var credential = Task.Run(async
() => await GoogleCredential.FromFileAsync("adc.json",
canTok)
).Result;
if (credential.IsCreateScopedRequired)
{
credential =
credential.CreateScoped(IamService.Scope.CloudPlatform); ;
}
_service = new IamService(new IamService.Initializer
{
HttpClientInitializer = credential
});
var pol = _service.IamPolicies;
var request = new CreateServiceAccountRequest
{
AccountId = name,
ServiceAccount = new ServiceAccount
{
DisplayName = displayName
}
};
var serviceAccount = _service.Projects.ServiceAccounts.Create(
request, "projects/" + projectId).Execute();
Console.WriteLine("Created service account: " + serviceAccount.Email);
EnableServiceAccount(serviceAccount.Email);
}
public static void DeleteServiceAccount(string email)
{
var credential = GoogleCredential.FromFile("adc.json")
.CreateScoped(IamService.Scope.CloudPlatform);
_service = new IamService(new IamService.Initializer
{
HttpClientInitializer = credential
});
string resource = "projects/-/serviceAccounts/" + email;
_service.Projects.ServiceAccounts.Delete(resource).Execute();
Console.WriteLine("Deleted service account: " + email);
}
public static void EnableServiceAccount(string email)
{
//var credential = GoogleCredential.FromFile("adc.json")
// .CreateScoped(IamService.Scope.CloudPlatform);
//_service = new IamService(new IamService.Initializer
//{
// HttpClientInitializer = credential
//});
var request = new EnableServiceAccountRequest();
string resource = "projects/-/serviceAccounts/" + email;
_service.Projects.ServiceAccounts.Enable(request, resource).Execute();
Console.WriteLine("Enabled service account: " + email);
}
private static void CreateProject()
{
//Environment.SetEnvironmentVariable("GOOGLE_APPLICATION_CREDENTIALS", @"C:\apikey.json");
//string Pathsave = Environment.GetEnvironmentVariable("GOOGLE_APPLICATION_CREDENTIALS");
var scopes = new string[] {
CloudResourceManagerService.Scope.CloudPlatform
};
GoogleCredential credential = Task.Run(
() => GoogleCredential.FromFile("adc.json")
).Result;
if (credential.IsCreateScopedRequired)
{
credential = credential.CreateScoped(scopes);
}
CloudResourceManagerService service = new CloudResourceManagerService(
new BaseClientService.Initializer()
{
HttpClientInitializer = credential,
ApplicationName = applicationName
}
);
Console.WriteLine("1. Create Project");
Data.Operation operation1 = service.Projects.Create(
new Data.Project()
{
ProjectId = projectId,
}
).Execute();
Console.Write("2. Awaiting Operation Completion");
Data.Operation operation2;
do
{
operation2 = service.Operations.Get(operation1.Name).Execute();
Console.WriteLine(operation2.Done.ToString());
System.Threading.Thread.Sleep(1000);
} while (operation2.Done != true);
Console.WriteLine();
Console.WriteLine("Enter to continue");
Console.ReadLine();
Console.WriteLine("3. Deleting Project");
var operation3 = service.Projects.Delete(projectId).Execute();
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.