我有2个桶,prod和staging,我有一个服务帐户。我想限制此帐户只能访问暂存存储桶。现在我在https://cloud.google.com/iam/docs/conditions-overview上看到这应该是可能的。我创建了这样的policy.json
{
"bindings": [
{
"role": "roles/storage.objectCreator",
"members": "serviceAccount:[email protected]",
"condition": {
"title": "staging bucket only",
"expression": "resource.name.startsWith(\"projects/_/buckets/uploads-staging\")"
}
}
]
}
但当我解雇gcloud projects set-iam-policy lalala policy.json
我得到:
The specified policy does not contain an "etag" field identifying a
specific version to replace. Changing a policy without an "etag" can
overwrite concurrent policy changes.
Replace existing policy (Y/n)?
ERROR: (gcloud.projects.set-iam-policy) INVALID_ARGUMENT: Can't set conditional policy on policy type: resourcemanager_projects and id: /lalala
我觉得我误解了角色,政策和服务帐户是如何相关的。但无论如何:是否有可能以这种方式限制服务帐户?
以下评论,我能够解决我的问题。显然存储桶权限在某种程度上是特殊的,但是我能够使用gsutil在存储桶上设置一个允许我的用户访问的策略:
gsutils iam ch serviceAccount:[email protected]:objectCreator gs://lalala-uploads-staging
解雇之后,访问是按预期的。我发现这有点令人困惑,这不会反映在服务帐户政策上:
% gcloud iam service-accounts get-iam-policy [email protected]
etag: ACAB
感谢大家