创建google cloud storage notification 的权限问题

2024-06-08 14:52

本文主要是介绍创建google cloud storage notification 的权限问题,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

问题

根据google 的文档:
https://cloud.google.com/storage/docs/reporting-changes#command-line

明确表示, 要创建storage notificaiton , 创建者(or service account) 只需要bucket 和 pubsub admin roles

在这里插入图片描述
但是实际上我在公司尝试为1个bucket 创建 notification 时遇到了错误:


ERROR: (gcloud.storage.buckets.notifications.create) User [xxxxx] does not have permission to access b instance [xxxx] (or it may not exist): 
xxxxx does not have serviceusage.services.use access to the Google Cloud project. Permission 'serviceusage.services.use' denied on resource (or it may not exist). This command is authenticated as xxxxx which is the active account specified by the [core/account] property.

首先什么是b instance, serviceusage.services.us 又是什么权限

由于我在公司所用的账号是terraform用的账号, 权限我相信是足够的, 也具有pubsub 和 bucket admin 的roles.

而且这个账号之前是创建过其他notification的

尝试几次后, 够钟收工






尝试在家里reproduce 这个issue

首先创建 1个service account, 并且分配权限

account name 就叫 pubsub-bucket-adm

tf 脚本:

# create a resource for a new service account
resource "google_service_account" "service_account_pubsub_bucket_adm" {account_id   = "pubsub-bucket-adm"display_name = "service count for pubsub bucket admin"project      = var.project_id
}# define the roles for the service account
resource "google_project_iam_binding" "service_account_pubsub_bucket_adm" {project = var.project_idrole    = "roles/pubsub.admin"members = ["serviceAccount:${google_service_account.service_account_pubsub_bucket_adm.email}"]
}resource "google_project_iam_binding" "service_account_pubsub_bucket_adm_storage" {project = var.project_idrole    = "roles/storage.admin"members = ["serviceAccount:${google_service_account.service_account_pubsub_bucket_adm.email}"]
}



检查账号和权限

正常

[gateman@manjaro-x13 keys]$ list_service_account
+ gcloud iam service-accounts list
DISPLAY NAME                            EMAIL                                                  DISABLED
owner-test                              owner-test@jason-hsbc.iam.gserviceaccount.com          False
App Engine default service account      jason-hsbc@appspot.gserviceaccount.com                 False
terraform                               terraform@jason-hsbc.iam.gserviceaccount.com           False
vm-common                               vm-common@jason-hsbc.iam.gserviceaccount.com           False
service count for pubsub bucket admin   pubsub-bucket-adm@jason-hsbc.iam.gserviceaccount.com   False
pubsub publisher a                      pubsub-publisher-a@jason-hsbc.iam.gserviceaccount.com  False
non-access                              non-access@jason-hsbc.iam.gserviceaccount.com          False
terraform2                              terraform2@jason-hsbc.iam.gserviceaccount.com          False
Compute Engine default service account  912156613264-compute@developer.gserviceaccount.com     False
[gateman@manjaro-x13 keys]$ list_roles pubsub-bucket-adm@jason-hsbc.iam.gserviceaccount.com
+ gcloud projects get-iam-policy jason-hsbc '--flatten=bindings[].members' '--format=table(bindings.role)' --filter=bindings.members:pubsub-bucket-adm@jason-hsbc.iam.gserviceaccount.com
ROLE
roles/pubsub.admin
roles/storage.admin
[gateman@manjaro-x13 keys]$ 



创建1个bucket

tf 脚本

resource "google_storage_bucket" "bucket-jason-hsbc-test" {name     = "${var.project_id}-test"project  = var.project_idlocation = var.region_id
}
[gateman@manjaro-x13 keys]$ gsutil ls
gs://dataflow-staging-europe-west2-912156613264/
gs://gcf-v2-sources-912156613264-europe-west2/
gs://gcf-v2-uploads-912156613264-europe-west2/
gs://jason-hsbc/
gs://jason-hsbc-dataflow/
gs://jason-hsbc-demo-src/
gs://jason-hsbc-demo-target/
gs://jason-hsbc-des/
gs://jason-hsbc-learning/
gs://jason-hsbc-raw/
gs://jason-hsbc-src/
gs://jason-hsbc-test/
gs://jason-hsbc_cloudbuild/
gs://linkedin_learning_56/
[gateman@manjaro-x13 keys]$ 

gs://jason-hsbc-test 这个新的bucket 已被创建



尝试去为这个bucket 创建notification

命令

gcloud storage buckets notifications create gs://jason-hsbc-test --topic=projects/jason-hsbc/topics/TopicA



错误重现
[gateman@manjaro-x13 keys]$ gcloud storage buckets notifications create gs://jason-hsbc-test --topic=projects/jason-hsbc/topics/TopicA
WARNING: Topic already exists: projects/jason-hsbc/topics/TopicA
WARNING: Retrying create notification request because topic changes may take up to 10 seconds to process.
ERROR: (gcloud.storage.buckets.notifications.create) User [pubsub-bucket-adm@jason-hsbc.iam.gserviceaccount.com] does not have permission to access b instance [jason-hsbc-test] (or it may not exist): pubsub-bucket-adm@jason-hsbc.iam.gserviceaccount.com does not have serviceusage.services.use access to the Google Cloud project. Permission 'serviceusage.services.use' denied on resource (or it may not exist). This command is authenticated as pubsub-bucket-adm@jason-hsbc.iam.gserviceaccount.com which is the active account specified by the [core/account] property.
[gateman@manjaro-x13 keys]






解决

看error message 应该是缺了 serviceusage.services.use 这个permisson
就从点入手



查看有那些role 具有permisson serviceusage.services.use

https://console.cloud.google.com/iam-admin/roles?referrer=search&project=jason-hsbc

发现 Service Usage Consumer 应该是候选role
https://console.cloud.google.com/iam-admin/roles/details/roles%3Cserviceusage.serviceUsageConsumer?project=jason-hsbc



添加 角色 Service Usage Consumer 给 pubsub-bucket-adm

tf 脚本

resource "google_project_iam_binding" "service_account_pubsub_bucket_adm_service_usage_comsumer" {project = var.project_idrole    = "roles/serviceusage.serviceUsageConsumer"members = ["serviceAccount:${google_service_account.service_account_pubsub_bucket_adm.email}"]
}



检查
[gateman@manjaro-x13 keys]$ list_roles pubsub-bucket-adm@jason-hsbc.iam.gserviceaccount.com
+ gcloud projects get-iam-policy jason-hsbc '--flatten=bindings[].members' '--format=table(bindings.role)' --filter=bindings.members:pubsub-bucket-adm@jason-hsbc.iam.gserviceaccount.com
ROLE
roles/pubsub.admin
roles/serviceusage.serviceUsageConsumer
roles/storage.admin



重新尝试创建notification
[gateman@manjaro-x13 keys]$ gcloud storage buckets notifications create gs://jason-hsbc-test --topic=projects/jason-hsbc/topics/TopicA
WARNING: Topic already exists: projects/jason-hsbc/topics/TopicA
etag: '1'
id: '1'
kind: storage#notification
payload_format: JSON_API_V1
selfLink: https://www.googleapis.com/storage/v1/b/jason-hsbc-test/notificationConfigs/1
topic: //pubsub.googleapis.com/projects/jason-hsbc/topics/TopicA[gateman@manjaro-x13 keys]$ gsutil notification list gs://jason-hsbc-test
projects/_/buckets/jason-hsbc-test/notificationConfigs/1Cloud Pub/Sub topic: projects/jason-hsbc/topics/TopicA

成功!


总结

Google 文档也不是很靠谱, 更新并不是非常及时

这篇关于创建google cloud storage notification 的权限问题的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!



http://www.chinasem.cn/article/1042500

相关文章

Spring的RedisTemplate的json反序列泛型丢失问题解决

《Spring的RedisTemplate的json反序列泛型丢失问题解决》本文主要介绍了SpringRedisTemplate中使用JSON序列化时泛型信息丢失的问题及其提出三种解决方案,可以根据性... 目录背景解决方案方案一方案二方案三总结背景在使用RedisTemplate操作redis时我们针对

Kotlin Map映射转换问题小结

《KotlinMap映射转换问题小结》文章介绍了Kotlin集合转换的多种方法,包括map(一对一转换)、mapIndexed(带索引)、mapNotNull(过滤null)、mapKeys/map... 目录Kotlin 集合转换:map、mapIndexed、mapNotNull、mapKeys、map

nginx中端口无权限的问题解决

《nginx中端口无权限的问题解决》当Nginx日志报错bind()to80failed(13:Permissiondenied)时,这通常是由于权限不足导致Nginx无法绑定到80端口,下面就来... 目录一、问题原因分析二、解决方案1. 以 root 权限运行 Nginx(不推荐)2. 为 Nginx

解决1093 - You can‘t specify target table报错问题及原因分析

《解决1093-Youcan‘tspecifytargettable报错问题及原因分析》MySQL1093错误因UPDATE/DELETE语句的FROM子句直接引用目标表或嵌套子查询导致,... 目录报js错原因分析具体原因解决办法方法一:使用临时表方法二:使用JOIN方法三:使用EXISTS示例总结报错原

Windows环境下解决Matplotlib中文字体显示问题的详细教程

《Windows环境下解决Matplotlib中文字体显示问题的详细教程》本文详细介绍了在Windows下解决Matplotlib中文显示问题的方法,包括安装字体、更新缓存、配置文件设置及编码調整,并... 目录引言问题分析解决方案详解1. 检查系统已安装字体2. 手动添加中文字体(以SimHei为例)步骤

SpringSecurity整合redission序列化问题小结(最新整理)

《SpringSecurity整合redission序列化问题小结(最新整理)》文章详解SpringSecurity整合Redisson时的序列化问题,指出需排除官方Jackson依赖,通过自定义反序... 目录1. 前言2. Redission配置2.1 RedissonProperties2.2 Red

IntelliJ IDEA2025创建SpringBoot项目的实现步骤

《IntelliJIDEA2025创建SpringBoot项目的实现步骤》本文主要介绍了IntelliJIDEA2025创建SpringBoot项目的实现步骤,文中通过示例代码介绍的非常详细,对大家... 目录一、创建 Spring Boot 项目1. 新建项目2. 基础配置3. 选择依赖4. 生成项目5.

nginx 负载均衡配置及如何解决重复登录问题

《nginx负载均衡配置及如何解决重复登录问题》文章详解Nginx源码安装与Docker部署,介绍四层/七层代理区别及负载均衡策略,通过ip_hash解决重复登录问题,对nginx负载均衡配置及如何... 目录一:源码安装:1.配置编译参数2.编译3.编译安装 二,四层代理和七层代理区别1.二者混合使用举例

Linux线程之线程的创建、属性、回收、退出、取消方式

《Linux线程之线程的创建、属性、回收、退出、取消方式》文章总结了线程管理核心知识:线程号唯一、创建方式、属性设置(如分离状态与栈大小)、回收机制(join/detach)、退出方法(返回/pthr... 目录1. 线程号2. 线程的创建3. 线程属性4. 线程的回收5. 线程的退出6. 线程的取消7.

创建Java keystore文件的完整指南及详细步骤

《创建Javakeystore文件的完整指南及详细步骤》本文详解Java中keystore的创建与配置,涵盖私钥管理、自签名与CA证书生成、SSL/TLS应用,强调安全存储及验证机制,确保通信加密和... 目录1. 秘密键(私钥)的理解与管理私钥的定义与重要性私钥的管理策略私钥的生成与存储2. 证书的创建与