GCP部署管理器:403没有storage.buckets.get访问权限

Question

我正在尝试使用Deployment Manager创建一个存储桶但是当我想创建部署时,我收到以下错误:

ERROR: (gcloud.deployment-manager.deployments.create) Error in Operation [operation-1525606425901-56b87ed1537c9-70ca4aca-72406eee]: errors:
- code: RESOURCE_ERROR
  location: /deployments/posts/resources/posts
  message: '{"ResourceType":"storage.v1.bucket","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"errors":[{"domain":"global","message":"myprojectid@cloudservices.gserviceaccount.com
    does not have storage.buckets.get access to posts.","reason":"forbidden"}],"message":"myprojectid@cloudservices.gserviceaccount.com
    does not have storage.buckets.get access to posts.","statusMessage":"Forbidden","requestPath":"https://www.googleapis.com/storage/v1/b/posts","httpMethod":"GET","suggestion":"Consider
    granting permissions to myprojectid@cloudservices.gserviceaccount.com"}}'

如果我理解正确,部署管理器使用服务帐户(如消息中所述)来实际创建我的所有资源.我已经检查了IAM并确保服务角色(myprojectid@cloudservices.gserviceaccount.com)确实具有"编辑器"的访问权限,甚至添加了"存储管理"(包括storage.buckets.get)以确保更加可靠.但是,我仍然得到相同的错误消息.

我是否将权限分配给错误的IAM用户/我做错了什么？

---

使用的命令:

gcloud deployment-manager deployments create posts --config posts.yml

我的部署模板:

bucket.jinja

resources:
- name: {{ properties['name'] }}
  type: storage.v1.bucket
  properties:
    name: {{ properties['name'] }}
    location: europe-west1
    lifecycle:
      rule:
      - action:
          type: Delete
        condition:
          age: 30
          isLive: true
    labels:
      datatype: {{ properties['datatype'] }}
    storageClass: REGIONAL

posts.yml

imports:
  - path: bucket.jinja

resources:
- name: posts
  type: bucket.jinja
  properties:
    name: posts
    datatype: posts

Answer 1

我成功测试了您的代码,我认为这个问题是您试图创建/更新由属于不同的项目在其服务帐户无权不同的用户拥有一个水桶.

因此,请尝试重新部署更改可能是唯一的名称,如果这样可以解决问题,请告诉我.在某些情况下,这可能是一个问题,因为您选择的名称很长或者已经存在风险.

请注意,您必须更改存储桶的名称,因为它必须在所有用户的所有项目中都是唯一的.

这似乎是一个过分的要求,但它可以创建静态网站或使用标准URL引用文件:

• https://storage.googleapis.com/nomebucket/folder/nomefile

从跟踪错误中我认为这是问题,您正在尝试创建一个不存在且您不拥有的存储桶.

请注意,如果从服务帐户中删除权限,则不会收到消息,告知您服务帐户对存储桶没有任何电源:

xxx@cloudservices.gserviceaccount.com does not have storage.buckets.get access to posts.

但是相反,会有一条消息指出服务帐户对项目没有任何影响:

Service account xxx@cloudservices.gserviceaccount.com is not authorized
    to take actions for project xxx. Please add xxx@cloudservices.gserviceaccount.com
    as an editor under project xxx using Google Developers Console

请注意,如果您尝试创建已经拥有的存储桶,则没有问题.

$ gcloud deployment-manager deployments create posts22 --config posts.yml                                                                                             
The fingerprint of the deployment is xxx==
Waiting for create [operation-xxx-xxx-xxx-xxx]...done.
Create operation operation-xxx-xxx-xxx-xxx completed successfully.
NAME                  TYPE               STATE      ERRORS  INTENT
nomebuckettest4536  storage.v1.bucket  COMPLETED  []