在 GCP 中的策略中添加角色时,策略成员必须以“<type>:<value>”形式作为前缀错误

问题描述 投票:0回答:1

我编写此类是为了在我的 Google Cloud 项目中添加/更新角色和成员。

class PolicyManager:
    """Policy manager to manage roles in Google Cloud"""

    def __init__(self, project_id: str):
        self.project_id = project_id

        credentials, _ = google.auth.default(
            scopes=["https://www.googleapis.com/auth/cloud-platform"]
        )
        self.crm_service = googleapiclient.discovery.build(
            "cloudresourcemanager", "v1", credentials=credentials
        )

    def get_policy(self, version: int = 1) -> dict:
        """Gets IAM policy for a project."""

        policy = (
            self.crm_service.projects()
            .getIamPolicy(
                resource=self.project_id,
                body={"options": {"requestedPolicyVersion": version}},
            )
            .execute()
        )
        return policy

    def set_policy(self, policy: dict) -> dict:
        """Sets IAM policy for a project."""

        policy = (
            self.crm_service.projects()
            .setIamPolicy(resource=self.project_id, body={"policy": policy})
            .execute()
        )
        return policy

    def modify_policy_add_role(self, role: str, member: str) -> dict:
        """Adds a new role binding to a policy."""

        policy = self.get_policy()

        binding = None
        for b in policy["bindings"]:
            if b["role"] == role:
                binding = b
                break
        if binding is not None:
            binding["members"].append(member)
        else:
            policy["version"] = 1
            binding = {
                "role": role,
                "members": [member],
            }

            policy["bindings"].append(binding)

        return self.set_policy(policy)

这是我正在关注的文档之一。

但是通过尝试这个:

    policy_manager = PolicyManager(get_project_id())
    policy_manager.modify_policy_add_role(
        role="roles/bigquery.jobUser", member=service_account_name
    )

我在 

self.crm_service.projects()
方法中的 
set_policy
上收到此错误:

googleapiclient.errors.HttpError:https://cloudresourcemanager.googleapis.com/v1/projects/dayrize-test:setIamPolicy?alt=json 返回“策略成员必须采用“:”形式。”。 详细信息:“[{'@type': 'type.googleapis.com/google.rpc.BadRequest', 'fieldViolations': [{'field': 'policy.bindings.member', '描述': “策略成员必须以‘:’形式作为前缀,其中 是“域”、“组”、“serviceAccount”或“用户”。"}]}, {'@type': 'type.googleapis.com/google.rpc.ErrorInfo', '原因': 'PROJECT_SET_IAM_DISALLOWED_MEMBER_TYPE','域': 'cloudresourcemanager.googleapis.com'},{'@type': 'type.googleapis.com/google.rpc.ResourceInfo','资源名称': '项目/我的项目'}]">

通过调试我可以看到,在运行 

get_policy
时,
members
属性是角色绑定的成员列表。那么,如果我首先通过 Google 本身获得一个简单的列表,为什么我会收到此错误?

python google-cloud-platform google-api google-api-python-client google-cloud-iam
1个回答
0
投票

委托人(成员)的格式为 

type:email

示例 

user:[email protected]
serviceAccount:[email protected]

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.