GKE服务目录BigQuery ACL /权限问题-用户xx在项目yy

时间:2018-08-02 08:47:06

标签: kubernetes google-bigquery service-accounts google-kubernetes-engine

我正在尝试使用Google Kubernetes的服务目录连接到BigQuery。但是,我有很多有关IAM / ACL权限的问题。

我将所有者角色添加到了myProjectId@cloudservices.gserviceaccount.com帐户,因为在创建绑定的服务帐户期间编辑器不足以访问IAM。

在将projectReaders,projectWriters和projectOwners手动添加到数据集的ACL之后,我最终可以读写BigQuery,但是我无法创建作业,因为这需要项目权限。更新数据集的命令为

bq update --source /tmp/roles myDatasetId

此后,我尝试查询bq,但操作失败

root@batch-shell:/app#   cat sql/xxx.sql | bq query --format=none --allow_large_results=true --destination_table=myDatasetId.pages_20180730 --maximum_billing_tier 3

BigQuery error in query operation: Access Denied: Project my-staging-project: The user k8s-bigquery-acc@my-staging-project.iam.gserviceaccount.com does not have
bigquery.jobs.create permission in project my-staging-project.

我试图将帐户的角色设置为“所有者”和“ BigQuery作业用户”,但没有任何效果。我什至尝试了所有其他帐户作为所有者。

这是我当前的ACL权限:

[16:52:45] blackfalcon:〜/ src / myproject / batch:chris $ bq --format = prettyjson show myDatasetId 

{
  "access": [
    {
      "role": "WRITER",
      "specialGroup": "projectWriters"
    },
    {
      "role": "OWNER",
      "specialGroup": "projectOwners"
    },
    {
      "role": "OWNER",
      "userByEmail": "myProjectId@cloudservices.gserviceaccount.com"
    },
    {
      "role": "OWNER",
      "userByEmail": "k8s-bigquery-acc@my-staging-project.iam.gserviceaccount.com"
    },
    {
      "role": "READER",
      "specialGroup": "allAuthenticatedUsers"
    },
    {
      "role": "READER",
      "specialGroup": "projectReaders"
    }
  ],
  "creationTime": "1532859638248",
  "datasetReference": {
    "datasetId": "myDatasetId",
    "projectId": "my-staging-project"
  },
  "defaultTableExpirationMs": "8000000000",
  "description": "myproject Access myDatasetId",
  "id": "my-staging-project:myDatasetId",
  "kind": "bigquery#dataset",
  "lastModifiedTime": "1533184961736",
  "location": "US",
  "selfLink": "https://www.googleapis.com/bigquery/v2/projects/my-staging-project/datasets/myDatasetId"
}

[16:53:02] blackfalcon:〜/ src / myproject / batch:chris $ gcloud projects get-iam-policy my-staging-project     绑定:

- members:
  - serviceAccount:k8s-bigquery-acc@my-staging-project.iam.gserviceaccount.com
  - user:myemail@somedomain.com
  role: roles/bigquery.admin
- members:
  - serviceAccount:k8s-cloudsql-acc-staging@my-staging-project.iam.gserviceaccount.com
  role: roles/cloudsql.client
- members:
  - serviceAccount:service-myProjectId@compute-system.iam.gserviceaccount.com
  role: roles/compute.serviceAgent
- members:
  - serviceAccount:service-myProjectId@container-engine-robot.iam.gserviceaccount.com
  role: roles/container.serviceAgent
- members:
  - serviceAccount:myProjectId-compute@developer.gserviceaccount.com
  - serviceAccount:myProjectId@cloudservices.gserviceaccount.com
  - serviceAccount:service-myProjectId@containerregistry.iam.gserviceaccount.com
  role: roles/editor
- members:
  - serviceAccount:service-myProjectId@cloud-ml.google.com.iam.gserviceaccount.com
  role: roles/ml.serviceAgent
- members:
  - serviceAccount:myProjectId@cloudservices.gserviceaccount.com
  - user:myemail@somedomain.com
  role: roles/owner
- members:
  - serviceAccount:scg-fv6fz3sjnxo3cfpppcl2qs5edm@my-staging-project.iam.gserviceaccount.com
  role: roles/servicebroker.operator
- members:
  - serviceAccount:service-myProjectId@gcp-sa-servicebroker.iam.gserviceaccount.com
  role: roles/servicebroker.serviceAgent
- members:
  - serviceAccount:k8s-bigquery-acc@my-staging-project.iam.gserviceaccount.com
  - user:myemail@somedomain.com
  role: roles/storage.admin
version: 1

似乎我需要为BigQuery设置项目ACL,但是我发现的一切都表明,使用IAM设置角色应该足够

任何帮助将不胜感激。

更新:我暂时已经解决了。

事实证明服务帐户本身无法正常工作。我尝试将所有者角色分配给服务帐户,并在本地使用该服务帐户访问一些gcloud资源,但均因权限错误而失败。 然后,我创建了一个具有相同权限的新服务帐户,然后再试一次,它成功了。因此,该服务帐户似乎已损坏。

我删除了绑定,然后删除了IAM和服务帐户并重建了绑定。

现在它像魔咒一样工作

0 个答案:

没有答案
相关问题
最新问题