我正在尝试使用Google Kubernetes的服务目录连接到BigQuery。但是,我有很多有关IAM / ACL权限的问题。
我将所有者角色添加到了myProjectId@cloudservices.gserviceaccount.com帐户,因为在创建绑定的服务帐户期间编辑器不足以访问IAM。
在将projectReaders,projectWriters和projectOwners手动添加到数据集的ACL之后,我最终可以读写BigQuery,但是我无法创建作业,因为这需要项目权限。更新数据集的命令为
bq update --source /tmp/roles myDatasetId
此后,我尝试查询bq,但操作失败
root@batch-shell:/app# cat sql/xxx.sql | bq query --format=none --allow_large_results=true --destination_table=myDatasetId.pages_20180730 --maximum_billing_tier 3
BigQuery error in query operation: Access Denied: Project my-staging-project: The user k8s-bigquery-acc@my-staging-project.iam.gserviceaccount.com does not have
bigquery.jobs.create permission in project my-staging-project.
我试图将帐户的角色设置为“所有者”和“ BigQuery作业用户”,但没有任何效果。我什至尝试了所有其他帐户作为所有者。
这是我当前的ACL权限:
[16:52:45] blackfalcon:〜/ src / myproject / batch:chris $ bq --format = prettyjson show myDatasetId
{
"access": [
{
"role": "WRITER",
"specialGroup": "projectWriters"
},
{
"role": "OWNER",
"specialGroup": "projectOwners"
},
{
"role": "OWNER",
"userByEmail": "myProjectId@cloudservices.gserviceaccount.com"
},
{
"role": "OWNER",
"userByEmail": "k8s-bigquery-acc@my-staging-project.iam.gserviceaccount.com"
},
{
"role": "READER",
"specialGroup": "allAuthenticatedUsers"
},
{
"role": "READER",
"specialGroup": "projectReaders"
}
],
"creationTime": "1532859638248",
"datasetReference": {
"datasetId": "myDatasetId",
"projectId": "my-staging-project"
},
"defaultTableExpirationMs": "8000000000",
"description": "myproject Access myDatasetId",
"id": "my-staging-project:myDatasetId",
"kind": "bigquery#dataset",
"lastModifiedTime": "1533184961736",
"location": "US",
"selfLink": "https://www.googleapis.com/bigquery/v2/projects/my-staging-project/datasets/myDatasetId"
}
[16:53:02] blackfalcon:〜/ src / myproject / batch:chris $ gcloud projects get-iam-policy my-staging-project 绑定:
- members:
- serviceAccount:k8s-bigquery-acc@my-staging-project.iam.gserviceaccount.com
- user:myemail@somedomain.com
role: roles/bigquery.admin
- members:
- serviceAccount:k8s-cloudsql-acc-staging@my-staging-project.iam.gserviceaccount.com
role: roles/cloudsql.client
- members:
- serviceAccount:service-myProjectId@compute-system.iam.gserviceaccount.com
role: roles/compute.serviceAgent
- members:
- serviceAccount:service-myProjectId@container-engine-robot.iam.gserviceaccount.com
role: roles/container.serviceAgent
- members:
- serviceAccount:myProjectId-compute@developer.gserviceaccount.com
- serviceAccount:myProjectId@cloudservices.gserviceaccount.com
- serviceAccount:service-myProjectId@containerregistry.iam.gserviceaccount.com
role: roles/editor
- members:
- serviceAccount:service-myProjectId@cloud-ml.google.com.iam.gserviceaccount.com
role: roles/ml.serviceAgent
- members:
- serviceAccount:myProjectId@cloudservices.gserviceaccount.com
- user:myemail@somedomain.com
role: roles/owner
- members:
- serviceAccount:scg-fv6fz3sjnxo3cfpppcl2qs5edm@my-staging-project.iam.gserviceaccount.com
role: roles/servicebroker.operator
- members:
- serviceAccount:service-myProjectId@gcp-sa-servicebroker.iam.gserviceaccount.com
role: roles/servicebroker.serviceAgent
- members:
- serviceAccount:k8s-bigquery-acc@my-staging-project.iam.gserviceaccount.com
- user:myemail@somedomain.com
role: roles/storage.admin
version: 1
似乎我需要为BigQuery设置项目ACL,但是我发现的一切都表明,使用IAM设置角色应该足够
任何帮助将不胜感激。
更新:我暂时已经解决了。
事实证明服务帐户本身无法正常工作。我尝试将所有者角色分配给服务帐户,并在本地使用该服务帐户访问一些gcloud资源,但均因权限错误而失败。 然后,我创建了一个具有相同权限的新服务帐户,然后再试一次,它成功了。因此,该服务帐户似乎已损坏。
我删除了绑定,然后删除了IAM和服务帐户并重建了绑定。
现在它像魔咒一样工作