服务帐户无法列出存储桶,错误代码为“403”——“没有 storage.buckets.list 访问权限”

tag-icon tag-icon google-cloud-platform
服务帐户无法列出存储桶,错误代码为“403”——“没有 storage.buckets.list 访问权限”

我有两个不同的服务帐户。

他们的角色是相同的:

my-user@my-computer:~$ service_account_basename=working-account
my-user@my-computer:~$ service_account="$service_account_basename@$project.iam.gserviceaccount.com"
my-user@my-computer:~$ gcloud projects get-iam-policy "$(gcloud config get-value project)" \
>   --flatten="bindings[].members" \
>   --format='table(bindings.role)' \
>   --filter="bindings.members:$service_account"
ROLE
roles/compute.instanceAdmin.v1
roles/compute.securityAdmin
roles/iam.serviceAccountUser
roles/storage.admin
roles/storage.objectViewer

my-user@my-computer:~$ service_account_basename=broken-account
my-user@my-computer:~$ service_account="$service_account_basename@$project.iam.gserviceaccount.com"
my-user@my-computer:~$ gcloud projects get-iam-policy "$(gcloud config get-value project)" \
>   --flatten="bindings[].members" \
>   --format='table(bindings.role)' \
>   --filter="bindings.members:$service_account"
ROLE
roles/compute.instanceAdmin.v1
roles/compute.securityAdmin
roles/iam.serviceAccountUser
roles/storage.admin
roles/storage.objectViewer

一个帐户可以列出存储桶:

my-user@my-computer:~$ service_account_basename=working-account
my-user@my-computer:~$ service_account="$service_account_basename@$project.iam.gserviceaccount.com"
my-user@my-computer:~$ key_file="$service_account_basename.json"
my-user@my-computer:~$ gcloud iam service-accounts keys create "$key_file"  --iam-account "$service_account"
created key [8ead916d3d004522aa6e51608d42e85e] of type [json] as [working-account.json] for [[email protected]]
my-user@my-computer:~$ gcloud auth activate-service-account --key-file "$key_file"
Activated service account credentials for: [[email protected]]

my-user@my-computer:~$ gsutil ls
gs://bucket-1
gs://bucket-2
gs://bucket-3
gs://bucket-4
gs://bucket-5

... 另一个失败了:

my-user@my-computer:~$ service_account_basename=broken-account
my-user@my-computer:~$ service_account="$service_account_basename@$project.iam.gserviceaccount.com"
my-user@my-computer:~$ key_file="$service_account_basename.json"
my-user@my-computer:~$ gcloud iam service-accounts keys create "$key_file"  --iam-account "$service_account"
created key [9930c9c6ded24e87a44633aaf35f5ae5] of type [json] as [broken-account.json] for [[email protected]]
my-user@my-computer:~$ gcloud auth activate-service-account --key-file "$key_file"
Activated service account credentials for: [[email protected]]

my-user@my-computer:~$ gsutil ls
AccessDeniedException: 403 [email protected] does not have storage.buckets.list access to project 533113984589.

错误消息引用的项目是我的项目,因为打印出来的数字(533113984589)是我的项目的编号:

my-user@my-computer:~$ gcloud projects describe my-project --format="get(projectNumber)"
533113984589

有人知道哪里出了问题吗?

答案1

我怀疑此行为与重新创建以前删除的服务帐户并使用相同的名称有关。

要消除这种情况,请查看 Stackdriver 日志记录查询日志使用以下参数:

    resource.type="service_account"
    protoPayload.methodName="google.iam.admin.v1.DeleteServiceAccount"
    resource.labels.email_id="BROKEN_SA@PROJECT_ID.iam.gserviceaccount.com"

这里解释了我所告诉您的有关创建具有相同名称的新服务帐户的内容。

另外,您可以尝试创建一个全新的服务帐户,授予相同的角色并观察其行为。

相关内容