英文:
Giving GCP service account Pub/Sub rights for topic in different project
问题
我有一个在GCP VM上以服务帐号身份运行的Node.js服务。现在我想订阅一个Pub/Sub主题。服务帐号和VM属于项目A,主题属于项目B。
我一直都在收到错误:7 PERMISSION_DENIED: User not authorized to perform this action
。
我尝试过的方法:
-
在创建VM模板时,将
https://www.googleapis.com/auth/pubsub
添加到作用域中。现在在实例的API和身份管理
部分看到了Cloud Pub/Sub: Enabled
。所以,这似乎起作用了。 -
通过命令
gcloud projects add-iam-policy-binding my-project --member="serviceAccount:my-sa@my-project.iam.gserviceaccount.com" --role='roles/pubsub.subscriber'
为服务帐号分配roles/pubsub.subscriber
角色。 -
在项目B中为服务帐号分配"Pub/Sub subscriber"角色:
- 为服务帐号授予对主题本身的访问权限:
但仍然出现相同的错误。
(附注:如果一个GCP管理员看到这个:GCP日志没有显示任何详细信息。这在这种情况下并不有帮助。如果运行某项操作需要四个权限,我希望日志会显示类似于您需要4个权限,您的用户具有权限A、C、D,但缺少B
,而不仅仅是User not authorized to perform this action.
)
英文:
I have a Node.js service running in GCP VM, running as a service account. Now I want to subscribe to a Pub/Sub topic. The Service account and the VM belong to Project A, the topic belongs to Project B.
I'm always getting Error: 7 PERMISSION_DENIED: User not authorized to perform this action
.
What I have tried:
-
Adding
https://www.googleapis.com/auth/pubsub
to the scopes when creating the template of the VM. Seeing nowCloud Pub/Sub: Enabled
in theAPI and identity management
section of the instance. So, that seems to have worked. -
Giving the service account the
roles/pubsub.subscriber
role via commandgcloud projects add-iam-policy-binding my-project --member="serviceAccount:my-sa@my-project.iam.gserviceaccount.com" --role='roles/pubsub.subscriber'
-
Giving the service account the "Pub/Sub subscriber" role in Project B:
- Giving the service account access to the topic itself:
But still, the error is the same.
(Side note: If a GCP manager reads this: The GCP logs don't show any details. That's not helpful in this case. If you need four permissions to run something then I expect the logs to be like You need 4 permissions, your user has permission A, C, D, but lacking B
and not just User not authorized to perform this action.
)
答案1
得分: 1
你可以尝试使用来自my-project-a
的服务帐户来运行my-project-b
中的代码 -
稍微修改了您的代码:
gcloud projects add-iam-policy-binding my-project-b --member="serviceAccount:my-sa@my-project-a.iam.gserviceaccount.com" --role='roles/pubsub.subscriber'
等等...
英文:
can you try my-project-b
with a service accont from the my-project-a
-
slightly modified your code:
gcloud projects add-iam-policy-binding my-project-b --member="serviceAccount:my-sa@my-project-a.iam.gserviceaccount.com" --role='roles/pubsub.subscriber'
and so on...
答案2
得分: 0
你的错误是什么?是来自于"尝试创建订阅",还是"尝试连接到订阅并消费消息"?
前者需要比订阅者更多的权限:projects.subscriptions.create
订阅者只能消费消息,但不能创建新的订阅:https://cloud.google.com/pubsub/docs/access-control#pubsub.subscriber
英文:
What's your error? Is the error from "trying to create a subscription", or "trying to connect to a subscription and consume message"?
The former needs more permissions than Subscriber: projects.subscriptions.create
Subscriber can only consumer message, but not creating a new subscription: https://cloud.google.com/pubsub/docs/access-control#pubsub.subscriber
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论