问题
I am using Gitlab CI to build docker images and to push them to GCR. My Script goes like this -
build:
image: google/cloud-sdk
services:
- docker:dind
stage: build
cache:
script:
- echo "$GCP_SERVICE_KEY" > gcloud-service-key.json # Google Cloud service accounts
- gcloud auth activate-service-account --key-file gcloud-service-key.json
- gcloud auth configure-docker --quiet
- gcloud config set project $GCP_PROJECT_ID
- echo ${IMAGE_NAME}:${IMAGE_TAG}
- PYTHONUNBUFFERED=1 gcloud builds submit -t ${IMAGE_NAME}:${IMAGE_TAG} .
only:
- master
and I am getting this error-
ERROR: (gcloud.builds.submit) HTTPError 403: <service account name>@<projectname>.iam.gserviceaccount.com does not have storage.buckets.list access to project <projectid>.
After giving service account Cloud Editor permissions, I am getting the error -
ERROR: (gcloud.builds.submit) User [<service account name>@<projectname>.iam.gserviceaccount.com] does not have permission to access b [<bucker_name>] (or it may not exist): <service account name>@<projectname>.iam.gserviceaccount.com does not have storage.buckets.get access to <bucket_name>
What all permissions do I have to give to service account to achieve so?
回答1:
From the error:
<service account name>@<projectname>.iam.gserviceaccount.com
does not have storage.buckets.list access to project <projectid>
I suspect that <projectname> and <projectid> refer to 2 different projects.
The project that owns the service account (<projectname>) may well have storage.[buckets|objects].* permissions but these will apply to the GCS resources controlled by <projectname> and not to those controlled by <projectid>.
NB Yes, it's confusing to see projects referenced by different types of keys but, to confirm, compare the ProjectID of <projectname> with <projectid>. Replace <projectname> with its value in the below to retrieve the ProjectID:
gcloud projects list --filter="name=<projectname> --format="value(projectId)"
There are 2 approaches to permitting identities to access GCS resources. The first is (as above) to create these at the project level. The second is to apply these to specific buckets.
See the link below for guidance. It's for Cloud Build's service account but the principle is the same. The service account (in project <projectname>) needs to have access to the GCS resources in <projectid>:
https://cloud.google.com/cloud-build/docs/securing-builds/set-service-account-permissions#push_private_images_to_others
来源:https://stackoverflow.com/questions/57513905/service-account-does-not-have-storage-buckets-lists-access-to-project-while-push