我想创建一个数据融合实例,并向服务帐户授予读取和写入BigQuery的权限。我正在使用Beta版本的Data Fusion,并且我的项目位于某个组织下。
gcloud services enable datafusion.googleapis.com
ACCESS_TOKEN="$(gcloud auth application-default print-access-token)"
PROJECT_ID=my-project-under-an-org
INSTANCE_ID=cdf-dev-0
curl --request POST --header "Authorization: Bearer $ACCESS_TOKEN" --header 'Content-Type: application/json' https://datafusion.googleapis.com/v1beta1/projects/$PROJECT_ID/locations/europe-west1/instances?instanceId=$INSTANCE_ID -d \"{'zone': 'europe-west1-b', 'enableStackdriverLogging': true, 'enableStackdriverMonitoring': true, 'labels': {}, 'networkConfig': {}, 'options': {}, 'privateInstance': false, 'type': 'ENTERPRISE'}\""
# retrieve service account so that permissions can be granted to it
SERVICE_ACCOUNT=$(curl --request GET --header "Authorization: Bearer $ACCESS_TOKEN" --header 'Content-Type: application/json' https://datafusion.googleapis.com/v1beta1/projects/$PROJECT_ID/locations/europe-west1/instances/$INSTANCE_ID | jq .serviceAccount)
gcloud projects add-iam-policy-binding $PROJECT_ID --member=serviceAccount:$SERVICE_ACCOUNT --role='roles/bigquery.dataEditor'
当我尝试授予特权时,出现以下错误:
ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.projects.add-iam-policy-binding) FAILED_PRECONDITION: One or more users named in the policy do not belong to a permitted customer.
- '@type': type.googleapis.com/google.rpc.PreconditionFailure
violations:
- description: User cloud-datafusion-management-sa@xxxx-tp.iam.gserviceaccount.com
is not in permitted organization.
subject: orgpolicy:projects/my-project-under-an-org?configvalue=cloud-datafusion-management-sa%xxxx-tp.iam.gserviceaccount.com
type: constraints/iam.allowedPolicyMemberDomains
任何提示表示赞赏。
答案 0 :(得分:0)
要确定问题所在,可以运行gcloud alpha iam policies lint-condition并共享输出吗?
答案 1 :(得分:0)
策略修改失败是由domain restriction constraint触发的,该https://www.robvanderwoude.com/escapechars.php在组织策略中用于限制基于域的资源共享。此域共享限制阻止了将权限分配给服务帐户。解决方法是暂时禁用该限制。