在google cloud gui控制台中,我访问了"IAM&admin">"服务帐户",并使用查看者角色创建了一个名为"my-service-account"的服务帐户.
然后我运行了这个命令:
gcloud iam service-accounts get-iam-policy my-service-account@mydomain.iam.gserviceaccount.com
并看到了这个输出:
etag: ACAB
根据文档,这意味着此服务帐户没有与之关联的策略.所以我给它分配了一个"角色",不包括在其"政策"中.
如何列出与服务帐户关联的角色?
我创建了一个服务帐户并分配了以下角色:
Owner
Storage Admin
Storage Object Admin
Tester
Tester 是我为学习目的创建的具有以下权限的角色:
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.setIamPolicy
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.setIamPolicy
storage.objects.update
...
我知道我不必要地过度使用这些角色的权限;但是,这仅用于测试目的。
考虑到bucket只包含一个文件并且账户有相应的权限,下面的Python代码应该可以工作(在我的本地计算机上运行):
Owner
Storage Admin
Storage Object Admin
Tester
但它没有:
Traceback (most recent call last):
File "gcloud/test.py", line 8, in <module>
for blob in blobs:
File "/home/user/.local/lib/python3.6/site-packages/google/api_core/page_iterator.py", line 212, in _items_iter
for page in self._page_iter(increment=False):
File "/home/berkay/.local/lib/python3.6/site-packages/google/api_core/page_iterator.py", line 243, in _page_iter
page = self._next_page()
File "/home/user/.local/lib/python3.6/site-packages/google/api_core/page_iterator.py", line 369, in _next_page
response = self._get_next_page_response()
File "/home/user/.local/lib/python3.6/site-packages/google/api_core/page_iterator.py", …