GCP服务帐户无法使用存储

时间:2020-05-20 21:25:30

标签: google-cloud-storage

我已经在GCP控制台 IAM和管理员中创建了服务帐户> 服务帐户 >> 创建 >

已分配的存储管理存储对象管理存储对象创建者

创建了 Key 并下载了json文件

要测试此服务帐户,我在GCP VM上运行了此命令

$ gcloud auth activate-service-account --key-file service-account.json 
Activated service account credentials for: [ingester@xxx-123.iam.gserviceaccount.com]

然后我就可以将文件cp到存储桶

$ gsutil cp image-src.txt gs://bucket-images
Copying file://image-src.txt [Content-Type=text/plain]...
/ [1 files][ 19.5 KiB/ 19.5 KiB]                                                
Operation completed over 1 objects/19.5 KiB.

但是当我尝试将service-account.json与node.js应用一起使用时,我会得到

(node:1) UnhandledPromiseRejectionWarning: Error: ingester@xxx-123.iam.gserviceaccount.com does not have storage.objects.create access to the Google Cloud Storage object.
    at new ApiError (/ingester/node_modules/@google-cloud/common/build/src/util.js:59:15)
    at Util.parseHttpRespBody (/ingester/node_modules/@google-cloud/common/build/src/util.js:194:38)
    at Util.handleResp (/ingester/node_modules/@google-cloud/common/build/src/util.js:135:117)
    at retryRequest (/ingester/node_modules/@google-cloud/common/build/src/util.js:434:22)
    at onResponse (/ingester/node_modules/retry-request/index.js:206:7)
    at /ingester/node_modules/teeny-request/build/src/index.js:170:17
    at process._tickCallback (internal/process/next_tick.js:68:7)
(node:1) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 5)

我可以正确创建服务帐户吗?

更新:v1gnus回答

我试图获得

cloudshell:~ $ gcloud iam service-accounts get-iam-policy ingester@xxx-123.iam.gserviceaccount.com
etag: ACAB

然后我尝试设置政策

cloudshell:~ $ gcloud projects add-iam-policy-binding xxx-123 --member serviceAccount:ingester@xxx-123.ia
m.gserviceaccount.com --role roles/storage.admin
    Updated IAM policy for project [xxx-123].
    bindings:
    ...
    - members:
      - serviceAccount:ingester@xxx-123.iam.gserviceaccount.com
      role: roles/storage.admin
    - members:
      - serviceAccount:ingester@xxx-123.iam.gserviceaccount.com
      role: roles/storage.objectAdmin
    - members:
      - serviceAccount:ingester@xxx-123.iam.gserviceaccount.com
      role: roles/storage.objectCreator
    etag: rfvtgyh-4Gw=
    version: 1

在此之后我仍然得到这个

cloudshell:~ $ gcloud iam service-accounts get-iam-policy ingester@xxx-123.iam.gserviceaccount.com
etag: ACAB

1 个答案:

答案 0 :(得分:0)

服务帐户的权限似乎有问题

ViewModel

您可以通过键入以下command来查看已将哪个角色分配给您的服务帐户:

“Error: ingester@xxx-123.iam.gserviceaccount.com does not have storage.objects.create access to the Google Cloud Storage object.”

有关如何使用Google Cloud Storage Node.js客户端API的更多信息,请检查此link

相关问题
最新问题