英文:
How do I check that a Google Cloud service account has a particular permission programmatically?
问题
我正在与用户提供的 GCS 存储桶进行集成。用户会给我一个服务帐号,我想要验证该服务帐号是否已启用对该存储桶的对象写入权限。我无法找到关于如何进行此操作的文档。我原以为在 GCS 客户端库中应该有一种简单的方法来检查这一点,但似乎并不像 myBucket.CanWrite()
那么简单。正确的方法是什么?我是否需要涉及到存储桶,还是说只需给定一个服务帐号的 JSON 文件,就可以检查其中是否存在 storage.objects.create
权限?
英文:
I'm making an integration with a user-supplied GCS bucket. The user will give me a service account, and I want to verify that service account has object write permissions enabled to the bucket. I am failing to find documentation on a good way to do this. I expected there to be an easy way to check this in the GCS client library, but it doesn't seem as simple as myBucket.CanWrite()
. What's the right way to do this? Do I need to have the bucket involved, or is there a way, given a service account json file, to just check that storage.objects.create
exists on it?
答案1
得分: 1
IAM权限可以在组织、文件夹、项目和资源(例如GCS存储桶)级别上授予。您需要小心确保正确检查。
对于显式授予存储桶的权限:
- 使用APIs Explorer查找Cloud Storage服务。
- 使用Cloud Storage API参考查找方法。
- 使用BucketAccessControls:get检索成员(例如服务账号)的权限(如果有)。
APIs Explorer有时会提供代码示例,但只要知道方法,您就可以找到Go SDK。
文档中包含了使用List
方法的ACLs的摘要,但我认为您可能想使用Get
(或等效方法)。
注意:我没有做过这个。
在Go库中,似乎没有与底层API的Get
方法直接对应的方法。
从Client
中,您可以使用带有存储桶名称的Bucket
方法获取BucketHandle
,然后使用ACL
方法检索存储桶的ACL(其中应包括服务账号的电子邮件地址和角色,如果有的话)。
或者,您可以使用IAM
方法获取存储桶的IAM库的Handle
,然后使用Policy
方法获取资源的IAM Policy
,其中将包括服务账号的电子邮件地址和IAM角色(如果有的话)。
英文:
IAM permissions can be granted at org, folder, project and resource (e.g. GCS Bucket) level. You will need to be careful that you check correctly.
For permissions granted explicitly to the bucket:
- Use APIs Explorer to find Cloud Storage service
- Use Cloud Storage API reference to find the method
- Use BucketAccessControls:get to retrieve a member's (e.g. a Service Account's) permission (if any).
APIs Explorer used (sometimes) has code examples but, knowing the method, you can find the Go SDK.
The documentation includes a summary for ACLs using the List
method, but I think you'll want to use Get
(or equivalent).
> NOTE I've not done this.
There doesn't appear to be a specific match to the underlying API's Get
in the Go library.
From a Client
, you can use Bucket
method with a Bucket name to get a BucketHandle
and then use the ACL
method to retrieve the bucket's ACL (which should include the Service Account's email address and role, if any).
Or you can use the IAM
method to get the bucket's IAM library's (!) Handle
and then use the Policy
method to get the resource's IAM Policy
which will include the Service Account's email address and IAM role (if any).
答案2
得分: 1
由于DazWilkin的回答,您可以在不同级别上检查权限,但很难清楚地知道一个帐户是否具有权限。
为此,Google Cloud发布了一个名为IAM故障排除器的服务。它是Policy Intelligence套件的一部分,可以帮助您理解、分析和排除IAM权限问题。
您可以在文档中找到调用API的方法。
英文:
Because of DazWilkin answer, you can check the permission at different level and it can be difficult to clearly know if an account as a permission.
For that, Google Cloud released a service: IAM troubleshooter. It's part of Policy Intelligence suite that help your to understand, analyse and troubleshoot the IAM permissions.
You have the API to call in the documentation.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论