服务帐号权限

Question

我对 GCP 很陌生。 我有一个具有以下角色的服务帐户： 我为它创建了一个 json 密钥，并用它来验证 gcloud 客户端。 该客户端正在该服务帐户的该项目的实例上运行。 我似乎没有任何权限：

# gcloud auth activate-service-account cloudbreak@**********-lab.iam.gserviceaccount.com --key-file **********-lab-804c90ab0a14.json
# gcloud auth list
                       Credentialed Accounts
ACTIVE  ACCOUNT
*       cloudbreak@**********-lab.iam.gserviceaccount.com
To set the active account, run:
    $ gcloud config set account `ACCOUNT`
# gcloud compute regions list
ERROR: (gcloud.compute.regions.list) Some requests did not succeed:
 - Required 'compute.regions.list' permission for 'projects/**********-lab'

# gcloud projects get-iam-policy **********-lab
ERROR: (gcloud.projects.get-iam-policy) User [cloudbreak@**********-lab.iam.gserviceaccount.com] does not
 have permission to access project [**********-lab:getIamPolicy] (or it may not exist): The caller does n
ot have permission

我错过了什么？

Answer 1

GCP 中存在一个长期存在的错误，即删除服务帐户并使用相同名称重新创建它可能会导致无法识别其权限的问题。 您描述的行为（创建具有相同权限的新服务帐户并看到它有效）与此错误的症状相符。

Answer 2

要修复您的服务帐户，您可以按照https://cloud.google.com/iam/docs/understanding-service-accounts中的提示进行操作。

奇怪行为的原因描述如下： It is possible to delete a service account and then create a new service account with the same name. If you reuse the name of a deleted service account, it may result in unexpected behavior. [...] If you create a new service account with the same name as a recently deleted service account, the old bindings may still exist It is possible to delete a service account and then create a new service account with the same name. If you reuse the name of a deleted service account, it may result in unexpected behavior. [...] If you create a new service account with the same name as a recently deleted service account, the old bindings may still exist

要解决此问题：

1. 创建具有相同名称的服务帐户
2. 撤销授予该服务帐户的所有角色/权限（将从旧帐户中删除权限）
3. 授予所需的权限（将在新帐户上授予他们）

Answer 3

我通过创建一个新的服务帐户（具有相同的角色）并使用该帐户来解决这个问题。 我不知道另一个发生了什么