我已经在GCP控制台 IAM和管理员中创建了服务帐户> 服务帐户 >> 创建 >
已分配的存储管理,存储对象管理,存储对象创建者
创建了 Key 并下载了json文件
要测试此服务帐户,我在GCP VM上运行了此命令
$ gcloud auth activate-service-account --key-file service-account.json
Activated service account credentials for: [ingester@xxx-123.iam.gserviceaccount.com]
然后我就可以将文件cp到存储桶
$ gsutil cp image-src.txt gs://bucket-images
Copying file://image-src.txt [Content-Type=text/plain]...
/ [1 files][ 19.5 KiB/ 19.5 KiB]
Operation completed over 1 objects/19.5 KiB.
但是当我尝试将service-account.json
与node.js应用一起使用时,我会得到
(node:1) UnhandledPromiseRejectionWarning: Error: ingester@xxx-123.iam.gserviceaccount.com does not have storage.objects.create access to the Google Cloud Storage object.
at new ApiError (/ingester/node_modules/@google-cloud/common/build/src/util.js:59:15)
at Util.parseHttpRespBody (/ingester/node_modules/@google-cloud/common/build/src/util.js:194:38)
at Util.handleResp (/ingester/node_modules/@google-cloud/common/build/src/util.js:135:117)
at retryRequest (/ingester/node_modules/@google-cloud/common/build/src/util.js:434:22)
at onResponse (/ingester/node_modules/retry-request/index.js:206:7)
at /ingester/node_modules/teeny-request/build/src/index.js:170:17
at process._tickCallback (internal/process/next_tick.js:68:7)
(node:1) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 5)
我可以正确创建服务帐户吗?
更新:v1gnus回答
我试图获得
cloudshell:~ $ gcloud iam service-accounts get-iam-policy ingester@xxx-123.iam.gserviceaccount.com
etag: ACAB
然后我尝试设置政策
cloudshell:~ $ gcloud projects add-iam-policy-binding xxx-123 --member serviceAccount:ingester@xxx-123.ia
m.gserviceaccount.com --role roles/storage.admin
Updated IAM policy for project [xxx-123].
bindings:
...
- members:
- serviceAccount:ingester@xxx-123.iam.gserviceaccount.com
role: roles/storage.admin
- members:
- serviceAccount:ingester@xxx-123.iam.gserviceaccount.com
role: roles/storage.objectAdmin
- members:
- serviceAccount:ingester@xxx-123.iam.gserviceaccount.com
role: roles/storage.objectCreator
etag: rfvtgyh-4Gw=
version: 1
在此之后我仍然得到这个
cloudshell:~ $ gcloud iam service-accounts get-iam-policy ingester@xxx-123.iam.gserviceaccount.com
etag: ACAB