GCP服务帐户无法使用存储空间

问题描述 投票:0回答:1

我已经在GCP控制台中创建了服务帐户IAM&Admin> 服务帐户 >> 创建

已分配存储管理员存储对象管理员存储对象创建者

创建Key并下载json文件

为了测试此服务帐户,我在GCP VM上运行了此命令

$ gcloud auth activate-service-account --key-file service-account.json 
Activated service account credentials for: [[email protected]]

然后我就可以将文件cp到存储桶中

$ gsutil cp image-src.txt gs://bucket-images
Copying file://image-src.txt [Content-Type=text/plain]...
/ [1 files][ 19.5 KiB/ 19.5 KiB]                                                
Operation completed over 1 objects/19.5 KiB.

但是当我尝试将service-account.json与node.js应用程序一起使用时,会得到

(node:1) UnhandledPromiseRejectionWarning: Error: [email protected] does not have storage.objects.create access to the Google Cloud Storage object.
    at new ApiError (/ingester/node_modules/@google-cloud/common/build/src/util.js:59:15)
    at Util.parseHttpRespBody (/ingester/node_modules/@google-cloud/common/build/src/util.js:194:38)
    at Util.handleResp (/ingester/node_modules/@google-cloud/common/build/src/util.js:135:117)
    at retryRequest (/ingester/node_modules/@google-cloud/common/build/src/util.js:434:22)
    at onResponse (/ingester/node_modules/retry-request/index.js:206:7)
    at /ingester/node_modules/teeny-request/build/src/index.js:170:17
    at process._tickCallback (internal/process/next_tick.js:68:7)
(node:1) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 5)

我是否正确创建服务帐户?

更新:v1gnus回答后

我试图得到

cloudshell:~ $ gcloud iam service-accounts get-iam-policy [email protected]
etag: ACAB

然后我尝试设置政策

cloudshell:~ $ gcloud projects add-iam-policy-binding xxx-123 --member serviceAccount:[email protected]
m.gserviceaccount.com --role roles/storage.admin
    Updated IAM policy for project [xxx-123].
    bindings:
    ...
    - members:
      - serviceAccount:[email protected]
      role: roles/storage.admin
    - members:
      - serviceAccount:[email protected]
      role: roles/storage.objectAdmin
    - members:
      - serviceAccount:[email protected]
      role: roles/storage.objectCreator
    etag: BwWmHR5-4Gw=
    version: 1

此后我仍然得到这个

cloudshell:~ $ gcloud iam service-accounts get-iam-policy [email protected]
etag: ACAB
google-cloud-storage
1个回答
0
投票

似乎您的服务帐户的权限存在问题

“Error: [email protected] does not have storage.objects.create access to the Google Cloud Storage object.”

您可以通过键入以下command查看已分配给您的服务帐户的角色:

gcloud iam service-accounts get-iam-policy [email protected]

有关如何使用Google Cloud Storage Node.js客户端API的更多信息,请检查此link

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.