![](/img/trans.png)
[英]Google Cloud Datastore and service accounts: limit access permissions
[英]Service accounts permissions
我对 GCP 很陌生。 我有一个具有以下角色的服务帐户: 我为它创建了一个 json 密钥,并用它来验证 gcloud 客户端。 该客户端正在该服务帐户的该项目的实例上运行。 我似乎没有任何权限:
# gcloud auth activate-service-account cloudbreak@**********-lab.iam.gserviceaccount.com --key-file **********-lab-804c90ab0a14.json
# gcloud auth list
Credentialed Accounts
ACTIVE ACCOUNT
* cloudbreak@**********-lab.iam.gserviceaccount.com
To set the active account, run:
$ gcloud config set account `ACCOUNT`
# gcloud compute regions list
ERROR: (gcloud.compute.regions.list) Some requests did not succeed:
- Required 'compute.regions.list' permission for 'projects/**********-lab'
# gcloud projects get-iam-policy **********-lab
ERROR: (gcloud.projects.get-iam-policy) User [cloudbreak@**********-lab.iam.gserviceaccount.com] does not
have permission to access project [**********-lab:getIamPolicy] (or it may not exist): The caller does n
ot have permission
我错过了什么?
GCP 中存在一个长期存在的错误,即删除服务帐户并使用相同名称重新创建它可能会导致无法识别其权限的问题。 您描述的行为(创建具有相同权限的新服务帐户并看到它有效)与此错误的症状相符。
要修复您的服务帐户,您可以按照https://cloud.google.com/iam/docs/understanding-service-accounts中的提示进行操作。
奇怪行为的原因描述如下: It is possible to delete a service account and then create a new service account with the same name. If you reuse the name of a deleted service account, it may result in unexpected behavior. [...] If you create a new service account with the same name as a recently deleted service account, the old bindings may still exist
It is possible to delete a service account and then create a new service account with the same name. If you reuse the name of a deleted service account, it may result in unexpected behavior. [...] If you create a new service account with the same name as a recently deleted service account, the old bindings may still exist
要解决此问题:
我通过创建一个新的服务帐户(具有相同的角色)并使用该帐户来解决这个问题。 我不知道另一个发生了什么
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.