Avi*_*Raj 4 python django google-cloud-storage google-cloud-platform google-kubernetes-engine
目前,我正在尝试将文件写入Google Cloud Storage存储桶。为此,我使用了django-storages软件包。
我已经部署了代码,并通过kubernetes kubectl实用程序进入了正在运行的容器,以检查GCS存储桶的工作情况。
$ kubectl exec -it foo-pod -c foo-container --namespace=testing python manage.py shell
我可以读取存储桶,但是如果尝试写入存储桶,它将显示以下回溯。
>>> from django.core.files.storage import default_storage
>>> f = default_storage.open('storage_test', 'w')
>>> f.write('hi')
2
>>> f.close()
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/google/cloud/storage/blob.py", line 946, in upload_from_file
client, file_obj, content_type, size, num_retries)
File "/usr/local/lib/python3.6/site-packages/google/cloud/storage/blob.py", line 867, in _do_upload
client, stream, content_type, size, num_retries)
File "/usr/local/lib/python3.6/site-packages/google/cloud/storage/blob.py", line 700, in _do_multipart_upload
transport, data, object_metadata, content_type)
File "/usr/local/lib/python3.6/site-packages/google/resumable_media/requests/upload.py", line 98, in transmit
self._process_response(result)
File "/usr/local/lib/python3.6/site-packages/google/resumable_media/_upload.py", line 110, in _process_response
response, (http_client.OK,), self._get_status_code)
File "/usr/local/lib/python3.6/site-packages/google/resumable_media/_helpers.py", line 93, in require_status_code
status_code, u'Expected one of', *status_codes)
google.resumable_media.common.InvalidResponse: ('Request failed with status code', 403, 'Expected one of', <HTTPStatus.OK: 200>)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<console>", line 1, in <module>
File "/usr/local/lib/python3.6/site-packages/storages/backends/gcloud.py", line 75, in close
self.blob.upload_from_file(self.file, content_type=self.mime_type)
File "/usr/local/lib/python3.6/site-packages/google/cloud/storage/blob.py", line 949, in upload_from_file
_raise_from_invalid_response(exc)
File "/usr/local/lib/python3.6/site-packages/google/cloud/storage/blob.py", line 1735, in _raise_from_invalid_response
raise exceptions.from_http_response(error.response)
google.api_core.exceptions.Forbidden: 403 POST https://www.googleapis.com/upload/storage/v1/b/foo.com/o?uploadType=multipart: Insufficient Permission
>>> default_storage.url('new docker')
'https://storage.googleapis.com/foo.appspot.com/new%20docker'
>>>
似乎它与存储桶权限完全相关。所以我已经将存储管理员,存储对象创建者角色分配给了谷歌云构建服务帐户(通过存储桶->管理权限),但仍然显示相同的错误。
可能的解释是,如果您没有为群集分配正确的范围。在这种情况下,群集中的节点将没有所需的授权/权限来写入Google Cloud Storage,这可以解释您看到的403错误。
如果在创建集群时未设置范围,则将分配默认范围,这仅提供对Cloud Storage的读取权限。
为了使用Cloud SDK检查集群的当前范围,您可以尝试从Cloud Shell运行“描述”命令,例如:
gcloud container clusters describe CLUSTER-NAME --zone ZONE
输出的oauthScopes部分包含分配给集群/节点的当前范围。
默认的只读Cloud Storage范围将显示:
https://www.googleapis.com/auth/devstorage.read_only
如果设置了Cloud Storage的读/写范围,则输出将显示:
https://www.googleapis.com/auth/devstorage.read_write
可以在群集创建期间使用--scope开关和所需的范围标识符来设置范围。在您的情况下,这将是“ storage-rw”。例如,您可以运行以下命令:
gcloud容器集群创建CLUSTER-NAME --zone ZONE --scopes storage-rw
然后storage-rw,合并范围与您的服务帐户一起应允许群集中的节点写入Cloud Storage。
或者,如果您不想重新创建集群,则可以使用所需的新作用域创建一个新的节点池,然后删除旧的节点池。请参阅接受的答案,是否需要重新创建Google Container Engine集群以修改API权限?有关如何实现此目的的信息。
| 归档时间: |
|
| 查看次数: |
2842 次 |
| 最近记录: |