GCP 权限：访问范围和自定义 IAM 服务帐户角色

Question

我有一个 Kotlin 应用程序，它使用自定义服务帐户并且需要查询由 Google 电子表格支持的 BigQuery 表。 查询表格需要“https://www.googleapis.com/auth/drive”访问权限 scope，但据我所知，自定义服务帐户不能附加访问范围。 最好的前进方式是什么？ 我可以向自定义 SA 添加一些权限集来模拟访问 scope 吗？

我得到的错误是：

INFO - com.google.cloud.bigquery.BigQueryException: Access Denied: BigQuery BigQuery: Permission denied while getting Drive credentials.
    at com.google.cloud.bigquery.spi.v2.HttpBigQueryRpc.translate(HttpBigQueryRpc.java:115)
    at com.google.cloud.bigquery.spi.v2.HttpBigQueryRpc.queryRpc(HttpBigQueryRpc.java:652)
    at com.google.cloud.bigquery.BigQueryImpl$35.call(BigQueryImpl.java:1282)
    at com.google.cloud.bigquery.BigQueryImpl$35.call(BigQueryImpl.java:1279)
    at com.google.api.gax.retrying.DirectRetryingExecutor.submit(DirectRetryingExecutor.java:105)
    at com.google.cloud.bigquery.BigQueryRetryHelper.run(BigQueryRetryHelper.java:64)
    at com.google.cloud.bigquery.BigQueryRetryHelper.runWithRetries(BigQueryRetryHelper.java:38)
    at com.google.cloud.bigquery.BigQueryImpl.queryRpc(BigQueryImpl.java:1278)
    at com.google.cloud.bigquery.BigQueryImpl.query(BigQueryImpl.java:1266)
    at com..extractor.BigQueryDataExtractor.extractData(BigQueryDataExtractor.kt:90)
    at com.extractor.commands..call(.kt:62)
    at com..extractor.commands..call(.kt:9)
    at picocli.CommandLine.executeUserObject(CommandLine.java:1953)
    at picocli.CommandLine.access$1300(CommandLine.java:145)
    at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2358)
    at picocli.CommandLine$RunLast.handle(CommandLine.java:2352)
    at picocli.CommandLine$RunLast.handle(CommandLine.java:2314)
    at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2179)
    at picocli.CommandLine$RunLast.execute(CommandLine.java:2316)
    at picocli.CommandLine.execute(CommandLine.java:2078)
    at com...extractor..run(.kt:25)
    at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:791)
    at org.springframework.boot.SpringApplication.callRunners(SpringApplication.java:775)
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:345)
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1343)
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1332)
    at com...extractor..main(.kt:38)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:566)
    at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49)
    at org.springframework.boot.loader.Launcher.launch(Launcher.java:108)
    at org.springframework.boot.loader.Launcher.launch(Launcher.java:58)
    at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:88)
Caused by: com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
POST https://www.googleapis.com/bigquery/v2/projects//queries
{
  "code" : 403,
  "errors" : [ {
    "domain" : "global",
    "message" : "Access Denied: BigQuery BigQuery: Permission denied while getting Drive credentials.",
    "reason" : "accessDenied"
  } ],
  "message" : "Access Denied: BigQuery BigQuery: Permission denied while getting Drive credentials.",
  "status" : "PERMISSION_DENIED"
}```


EDIT: I've managed to pass extra scopes to the credentials created by Spring Boot, so solved my problem, but would still be interested in hearing if there was a way to solve the problem without using scopes

Answer 1

您可以在创建客户端时为其分配访问范围。 就我而言，这是在 Spring 引导配置文件中设置属性的情况，如下所述： https://docs.spring.io/spring-cloud-gcp/docs/current/reference/html/#scopes