为GCP服务帐号在不同项目中赋予Pub/Sub主题权限

huangapple go评论63阅读模式
英文:

Giving GCP service account Pub/Sub rights for topic in different project

问题

我有一个在GCP VM上以服务帐号身份运行的Node.js服务。现在我想订阅一个Pub/Sub主题。服务帐号和VM属于项目A,主题属于项目B。

我一直都在收到错误:7 PERMISSION_DENIED: User not authorized to perform this action

我尝试过的方法:

  • 在创建VM模板时,将https://www.googleapis.com/auth/pubsub添加到作用域中。现在在实例的API和身份管理部分看到了Cloud Pub/Sub: Enabled。所以,这似乎起作用了。

  • 通过命令gcloud projects add-iam-policy-binding my-project --member="serviceAccount:my-sa@my-project.iam.gserviceaccount.com" --role='roles/pubsub.subscriber'为服务帐号分配roles/pubsub.subscriber角色。

  • 在项目B中为服务帐号分配"Pub/Sub subscriber"角色:

为GCP服务帐号在不同项目中赋予Pub/Sub主题权限

  • 为服务帐号授予对主题本身的访问权限:

为GCP服务帐号在不同项目中赋予Pub/Sub主题权限

但仍然出现相同的错误。

(附注:如果一个GCP管理员看到这个:GCP日志没有显示任何详细信息。这在这种情况下并不有帮助。如果运行某项操作需要四个权限,我希望日志会显示类似于您需要4个权限,您的用户具有权限A、C、D,但缺少B,而不仅仅是User not authorized to perform this action.

英文:

I have a Node.js service running in GCP VM, running as a service account. Now I want to subscribe to a Pub/Sub topic. The Service account and the VM belong to Project A, the topic belongs to Project B.

I'm always getting Error: 7 PERMISSION_DENIED: User not authorized to perform this action.

What I have tried:

  • Adding https://www.googleapis.com/auth/pubsub to the scopes when creating the template of the VM. Seeing now Cloud Pub/Sub: Enabled in the API and identity management section of the instance. So, that seems to have worked.

  • Giving the service account the roles/pubsub.subscriber role via command gcloud projects add-iam-policy-binding my-project --member="serviceAccount:my-sa@my-project.iam.gserviceaccount.com" --role='roles/pubsub.subscriber'

  • Giving the service account the "Pub/Sub subscriber" role in Project B:

为GCP服务帐号在不同项目中赋予Pub/Sub主题权限

  • Giving the service account access to the topic itself:

为GCP服务帐号在不同项目中赋予Pub/Sub主题权限

But still, the error is the same.

(Side note: If a GCP manager reads this: The GCP logs don't show any details. That's not helpful in this case. If you need four permissions to run something then I expect the logs to be like You need 4 permissions, your user has permission A, C, D, but lacking B and not just User not authorized to perform this action.)

答案1

得分: 1

你可以尝试使用来自my-project-a的服务帐户来运行my-project-b中的代码 -

稍微修改了您的代码:

gcloud projects add-iam-policy-binding my-project-b --member="serviceAccount:my-sa@my-project-a.iam.gserviceaccount.com" --role='roles/pubsub.subscriber'

等等...

英文:

can you try my-project-b with a service accont from the my-project-a -

slightly modified your code:

gcloud projects add-iam-policy-binding my-project-b --member="serviceAccount:my-sa@my-project-a.iam.gserviceaccount.com" --role='roles/pubsub.subscriber'

and so on...

答案2

得分: 0

你的错误是什么?是来自于"尝试创建订阅",还是"尝试连接到订阅并消费消息"?

前者需要比订阅者更多的权限:projects.subscriptions.create

订阅者只能消费消息,但不能创建新的订阅:https://cloud.google.com/pubsub/docs/access-control#pubsub.subscriber

英文:

What's your error? Is the error from "trying to create a subscription", or "trying to connect to a subscription and consume message"?

The former needs more permissions than Subscriber: projects.subscriptions.create

Subscriber can only consumer message, but not creating a new subscription: https://cloud.google.com/pubsub/docs/access-control#pubsub.subscriber

huangapple
  • 本文由 发表于 2023年3月9日 17:50:36
  • 转载请务必保留本文链接:https://go.coder-hub.com/75682882.html
  • authorization
  • google-cloud-iam
  • google-cloud-platform
  • google-cloud-pubsub
  • service-accounts
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定