pubsub主题的setIamPolicy(在资源级别上不是项目)

时间:2019-10-23 15:45:54

标签: google-cloud-platform google-cloud-pubsub google-iam google-deployment-manager

我正在使用Deployment Manager设置现有 发布/订阅主题的IAM策略-我不想获取它,也无法使用Deployment Manager创建它(因为它存在)。所以我想对现有资源设置策略

我可以使用存储桶来执行此操作,但是文档确实令人困惑,我找不到正确的存储桶方法

我想为主题而不是存储桶执行此操作(资源级别绑定):

resources:
  - name: mybucket
    action: gcp-types/storage-v1:storage.buckets.setIamPolicy
    properties:
      bucket: mybucket
      bindings:
        - role: roles/storage.admin
          members:
          - "serviceAccount:sdfsfds@sdfsdf.com"

我只能在项目级别找到gcp-types/pubsub-v1:projects.topics.setIamPolicy呢?在特定主题上设置IAM策略的正确API是什么?

这里的google API似乎真的不一致-这些方法是否等效?文件令人困惑 https://cloud.google.com/storage/docs/json_api/v1/buckets/setIamPolicy https://cloud.google.com/pubsub/docs/reference/rest/v1/projects.topics/setIamPolicy

我尝试了此操作,但出现错误:

  - name: mytopic
    action: gcp-types/pubsub-v1:pubsub.projects.topics.setIamPolicy
    properties:
      resource: mytopic
      bindings:
        - role: roles/pubsub.admin
          members:
          - "serviceAccount:ssdfsdf@sdfsdf.com"

获取错误:

message: '{"ResourceType":"gcp-types/pubsub-v1:pubsub.projects.topics.setIamPolicy","ResourceErrorCode":"400","ResourceErrorMessage":{"code":400,"message":"Invalid
    JSON payload received. Unknown name \"bindings\": Cannot find field.","status":"INVALID_ARGUMENT","details":[{"@type":"type.googleapis.com/google.rpc.BadRequest","fieldViolations":[{"description":"Invalid
    JSON payload received. Unknown name \"bindings\": Cannot find field."}]}],"statusMessage":"Bad
    Request","requestPath":"https://pubsub.googleapis.com/v1/projects/myproject/topics/mytopic:setIamPolicy","httpMethod":"POST"}}

当我尝试projects.topics.setIamPolicy时,我得到了:

- code: COLLECTION_NOT_FOUND
  message: Collection 'projects.topics.setIamPolicy' not found in discovery doc 'https://pubsub.googleapis.com/$discovery/rest?version=v1'

1 个答案:

答案 0 :(得分:1)

pubsub-v1:projects.topics.setIamPolicy在主题级别,而https://iam.googleapis.com/v1/{resource=projects/*/serviceAccounts/*}:setIamPolicy在项目级别设置发布/订阅或其他资源。

您得到这些错误是因为您要提供Pub / Sub管理员,并且这是项目级别的角色。您可以提供的示例roles是:

  • 角色/查看器
  • 角色/编辑器
  • 角色/所有者

我了解到您正在尝试部署具有仅允许一个服务帐户访问一个IAM策略的主题。如果您正在使用的环境,则必须使用yaml文件和python文件。

python file中,您将使用“ set_iam_policy”方法设置主题的IAM,该方法需要两个参数,即策略和主题路径:

client = pubsub_v1.PublisherClient()
topic_path = client.topic_path(project, topic_name)

policy = client.get_iam_policy(topic_path)

# Add all users as viewers.
policy.bindings.add(
    role='roles/pubsub.viewer',
    members=['allUsers'])

# Add a group as a publisher.
policy.bindings.add(
    role='roles/pubsub.publisher',
    members=['group:cloud-logs@google.com'])

# Set the policy
policy = client.set_iam_policy(topic_path, policy)

print('IAM policy for topic {} set: {}'.format(
    topic_name, policy))

对于deployment manager

imports:
  - path: templates/pubsub/pubsub.py
    name: pubsub.py

resources:
  - name: test-pubsub
    type: pubsub.py
    properties:
      topic: test-topic
      accessControl:
        - role: roles/pubsub.subscriber
          members:
            - user:demo@user.com
      subscriptions:
        - name: first-subscription
          accessControl:
            - role: roles/pubsub.subscriber
              members:
               - user:demo@user.com
        - name: second-subscription
          ackDeadlineSeconds: 15
相关问题
最新问题