GCS with GKE,403没有足够的权限写入GCS存储桶

时间:2017-11-03 05:06:47

标签: python django google-cloud-platform google-cloud-storage google-kubernetes-engine

目前,我正在尝试将文件写入Google云端存储分区。为此,我使用了django-storages包。

我已经部署了我的代码,并通过kubernetes kubectl实用程序进入正在运行的容器,以检查GCS存储桶的工作情况。

$ kubectl exec -it foo-pod -c foo-container --namespace=testing python manage.py shell

我能够读取存储桶,但如果我尝试写入存储桶,则会显示以下追溯。

>>> from django.core.files.storage import default_storage
>>> f = default_storage.open('storage_test', 'w')
>>> f.write('hi')
2
>>> f.close()
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/google/cloud/storage/blob.py", line 946, in upload_from_file
    client, file_obj, content_type, size, num_retries)
  File "/usr/local/lib/python3.6/site-packages/google/cloud/storage/blob.py", line 867, in _do_upload
    client, stream, content_type, size, num_retries)
  File "/usr/local/lib/python3.6/site-packages/google/cloud/storage/blob.py", line 700, in _do_multipart_upload
    transport, data, object_metadata, content_type)
  File "/usr/local/lib/python3.6/site-packages/google/resumable_media/requests/upload.py", line 98, in transmit
    self._process_response(result)
  File "/usr/local/lib/python3.6/site-packages/google/resumable_media/_upload.py", line 110, in _process_response
    response, (http_client.OK,), self._get_status_code)
  File "/usr/local/lib/python3.6/site-packages/google/resumable_media/_helpers.py", line 93, in require_status_code
    status_code, u'Expected one of', *status_codes)
google.resumable_media.common.InvalidResponse: ('Request failed with status code', 403, 'Expected one of', <HTTPStatus.OK: 200>)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<console>", line 1, in <module>
  File "/usr/local/lib/python3.6/site-packages/storages/backends/gcloud.py", line 75, in close
    self.blob.upload_from_file(self.file, content_type=self.mime_type)
  File "/usr/local/lib/python3.6/site-packages/google/cloud/storage/blob.py", line 949, in upload_from_file
    _raise_from_invalid_response(exc)
  File "/usr/local/lib/python3.6/site-packages/google/cloud/storage/blob.py", line 1735, in _raise_from_invalid_response
    raise exceptions.from_http_response(error.response)
google.api_core.exceptions.Forbidden: 403 POST https://www.googleapis.com/upload/storage/v1/b/foo.com/o?uploadType=multipart: Insufficient Permission
>>> default_storage.url('new docker')
'https://storage.googleapis.com/foo.appspot.com/new%20docker'
>>>

似乎它与存储桶权限完全相关。所以我已经将存储管理员,存储对象创建者角色分配给谷歌云构建服务帐户(通过存储桶 - >管理权限),但仍然显示相同的错误。

1 个答案:

答案 0 :(得分:7)

如果您没有为具有正确范围的群集分配,可能的解释是。如果是这种情况,群集中的节点将没有写入Google云端存储所需的授权/权限,这可以解释您看到的403错误。

如果在创建群集时未设置范围,则会分配默认范围,这仅为云存储提供读取权限。

要使用Cloud SDK检查群集当前作用域,您可以尝试运行“描述”#39;来自Cloud Shell的命令,例如:

gcloud container clusters describe CLUSTER-NAME --zone ZONE

输出的oauthScopes部分包含分配给集群/节点的当前作用域。

将显示默认的只读云存储范围:

https://www.googleapis.com/auth/devstorage.read_only

如果设置了云存储读/写范围,则输出将显示:

https://www.googleapis.com/auth/devstorage.read_write

可以在群集创建期间使用--scope开关设置范围,后跟所需的范围标识符。在你的情况下,这将是“存储-rw”。例如,您可以运行类似:

gcloud容器群创建CLUSTER-NAME --zone ZONE --scopes storage-rw

storage-rw范围与您的服务帐户相结合,然后应允许群集中的节点写入云存储。

或者,如果您不想重新创建群集,则可以使用新的所需范围创建新节点池,然后删除旧节点池。有关如何实现此目的的信息,请参阅Is it necessary to recreate a Google Container Engine cluster to modify API permissions?的已接受答案。