我有2个存储区(分别为生产和暂存),并且我有一个服务帐户。我想将此帐户限制为只能访问登台存储桶。现在,我在https://cloud.google.com/iam/docs/conditions-overview上看到这应该可行。我这样创建了policy.json
{
"bindings": [
{
"role": "roles/storage.objectCreator",
"members": "serviceAccount:staging-service-account@lalala-co.iam.gserviceaccount.com",
"condition": {
"title": "staging bucket only",
"expression": "resource.name.startsWith(\"projects/_/buckets/uploads-staging\")"
}
}
]
}
但是当我开枪gcloud projects set-iam-policy lalala policy.json
时,我得到了:
The specified policy does not contain an "etag" field identifying a
specific version to replace. Changing a policy without an "etag" can
overwrite concurrent policy changes.
Replace existing policy (Y/n)?
ERROR: (gcloud.projects.set-iam-policy) INVALID_ARGUMENT: Can't set conditional policy on policy type: resourcemanager_projects and id: /lalala
我觉得我误解了角色,策略和服务帐户之间的关系。但是无论如何:是否可以通过这种方式限制服务帐户?
答案 0 :(得分:0)
在评论之后,我能够解决我的问题。显然,存储桶权限在某种程度上很特殊,但是我能够使用gsutil在存储桶上设置允许用户访问的策略:
gsutils iam ch serviceAccount:staging-service-account@lalala.iam.gserviceaccount.com:objectCreator gs://lalala-uploads-staging
触发此操作后,访问将按预期进行。我发现这并没有反映在服务帐户政策上,这令人有些困惑:
% gcloud iam service-accounts get-iam-policy staging-service-account@lalala.iam.gserviceaccount.com
etag: ACAB
谢谢大家