GCP服务帐户凭据被忽略?

时间:2017-11-02 17:03:08

标签: gcloud gcp kubectl

直到昨天我才能在GCP上运行一个应用程序来监听PubSub并将数据写入BigTable,但截至今天,我似乎还没有有效的身份验证。

以下是我的进展方式:

  1. 我即时创建了一个服务帐户:

    2. gcloud iam service-accounts create ${SERVICE_ACCOUNT} \ --display-name "$(whoami) dev account" --project ${PROJECT_ID}

    1. 我为此帐户创建了一个JSON密钥文件:

      2. gcloud iam service-accounts keys create \ "auth-${SERVICE_ACCOUNT}@${PROJECT_ID}.json" --iam-account=${IAM_ACCOUNT} \ --project ${PROJECT_ID}

      1. 我从这个JSON文件中创建了一个kubectl密钥:

        2. kubectl create secret generic ingester-key \ --from-file=key.json="auth-${SERVICE_ACCOUNT}@${PROJECT_ID}.json"

        1. 我将此帐户绑定到管理员角色:

          2. bindings: - members: - serviceAccount:marcello-dev@noisy-turtle-20171031.iam.gserviceaccount.com - serviceAccount:service-480932822351@container-engine-robot.iam.gserviceaccount.com role: roles/bigtable.admin - members: - serviceAccount:marcello-dev@noisy-turtle-20171031.iam.gserviceaccount.com role: roles/bigtable.user - members: - serviceAccount:service-480932822351@container-engine-robot.iam.gserviceaccount.com role: roles/container.serviceAgent - members: - serviceAccount:480932822351-compute@developer.gserviceaccount.com - serviceAccount:480932822351@cloudservices.gserviceaccount.com - serviceAccount:service-480932822351@containerregistry.iam.gserviceaccount.com role: roles/editor - members: - user:marcello@XXXEDITEDXXX role: roles/owner - members: - serviceAccount:service-480932822351@container-engine-robot.iam.gserviceaccount.com role: roles/pubsub.admin - members: - serviceAccount:marcello-dev@noisy-turtle-20171031.iam.gserviceaccount.com role: roles/pubsub.editor - members: - serviceAccount:marcello-dev@noisy-turtle-20171031.iam.gserviceaccount.com role: roles/storage.admin - members: - serviceAccount:marcello-dev@noisy-turtle-20171031.iam.gserviceaccount.com role: roles/storage.objectAdmin - members: - serviceAccount:marcello-dev@noisy-turtle-20171031.iam.gserviceaccount.com role: roles/storage.objectCreator - members: - serviceAccount:marcello-dev@noisy-turtle-20171031.iam.gserviceaccount.com role: roles/storage.objectViewer

          1. 我获得kubectl的群集凭据:

            2. gcloud container clusters get-credentials ingester-cluster --zone us-east1-b --project noisy-turtle-20171031

            然后我启动了kubernetes集群(为简洁起见,此处未显示),并在日志文件中打印出我正在使用的凭据,以验证服务帐户是否正确:

            "Account: ServiceAccountCredentials{clientId\u003d117494744145141605372, clientEmail\u003dmarcello-dev@noisy-turtle-20171031.iam.gserviceaccount.com, privateKeyId\u003dad79da59c0a75c2b358d530d63d9a8898523f3cb, transportFactoryClassName\u003dcom.google.auth.oauth2.OAuth2Utils$DefaultHttpTransportFactory, tokenServerUri\u003dhttps://accounts.google.com/o/oauth2/token, scopes\u003d[], serviceAccountUser\u003dnull}"

            并发现clientEmail与我的服务帐户匹配。

            几个周期后,应用程序崩溃了:

            Exception in thread "main" java.io.IOException: Failed to listTables ... Caused by: io.grpc.StatusRuntimeException: PERMISSION_DENIED: Access denied. Missing IAM permission: bigtable.tables.list.

            有什么想法吗?

1 个答案:

答案 0 :(得分:0)

我找到了缺失的部分:在第2步之后,您需要激活服务帐户密钥:

gcloud auth activate-service-account ${IAM_ACCOUNT} --key-file="auth-${SERVICE_ACCOUNT}@${PROJECT_ID}.json"
相关问题
最新问题