GCE API 'projects/someproject' 需要 'compute.zones.list' 权限
GCE API Required 'compute.zones.list' permission for 'projects/someproject'
我已经在 GCP 中创建了项目。然后我创建具有 ComputeAdmin 角色的服务帐户。然后我为项目启用"Compute Engine API"。
但无法使用实例:
#gcloud compute instances list
ERROR: (gcloud.compute.instances.list) Some requests did not succeed: - Required 'compute.zones.list'
permission for 'projects/someproject'
我做错了什么?
已编辑
来自服务帐户:
ERROR: (gcloud.projects.get-iam-policy) User
[cloud66@project_id.iam.gserviceaccount.com] does not have permission
to access project [project_id:getIamPolicy] (or it may not exist): The
caller does not have permission
当我切换到主 google 帐户时:
$ gcloud projects get-iam-policy project_id bindings:
members:
- serviceAccount:cloud66@project_id.iam.gserviceaccount.com
role: roles/compute.admin
members:
- serviceAccount:service-855312803173@compute-system.iam.gserviceaccount.com
role: roles/compute.serviceAgent
members:
- serviceAccount:855312803173-compute@developer.gserviceaccount.com
- serviceAccount:855312803173@cloudservices.gserviceaccount.com
role: roles/editor
members:
- user:my_google_user role: roles/owner
从日志视图:
2020-01-28 16:46:30.932 EET Compute Engine list zones
cloud66@project_id.iam.gserviceaccount.com PERMISSION_DENIED
code: 7
message: "PERMISSION_DENIED"
看看documentation first. Usually such error occurs if your service account doesn't have enough permissions. In this case, you should check available roles, search there for required permission like compute.zones. and add it to your service account as it described here. For example it could be Compute Instance Admin (v1) role。
编辑 看起来 Compute Admin role 应该适合您。可以肯定的是,使用命令检查项目中授予的角色:
gcloud projects get-iam-policy YOUR_PROJECT_ID
如果想通过云 API 从某些应用程序使用您的服务帐户,请查看此 instructions。
EDIT2 按照 documentation 中的描述,尝试从第 3 处(例如某些 linux 桌面或服务器)检查您的服务帐户和密钥。
第一次创建服务帐号"cloud66"是在Google测试期。这很可能会影响访问权限。然后我将计费从测试期切换到付费期。我在 "APIs & Services -> Credentials" 部分删除并重新创建了 cloud66 服务帐户。但是 "cloud66" 的访问策略在 "IAM" 部分具有 "ComputeAdmin" 的角色。当我从 "IAM" 部分删除访问策略并重新创建服务帐户时,问题就解决了。
我已经在 GCP 中创建了项目。然后我创建具有 ComputeAdmin 角色的服务帐户。然后我为项目启用"Compute Engine API"。
但无法使用实例:
#gcloud compute instances list
ERROR: (gcloud.compute.instances.list) Some requests did not succeed: - Required 'compute.zones.list' permission for 'projects/someproject'
我做错了什么?
已编辑
来自服务帐户:
ERROR: (gcloud.projects.get-iam-policy) User [cloud66@project_id.iam.gserviceaccount.com] does not have permission to access project [project_id:getIamPolicy] (or it may not exist): The caller does not have permission
当我切换到主 google 帐户时:
$ gcloud projects get-iam-policy project_id bindings:
members:
- serviceAccount:cloud66@project_id.iam.gserviceaccount.com
role: roles/compute.admin
members:
- serviceAccount:service-855312803173@compute-system.iam.gserviceaccount.com
role: roles/compute.serviceAgent
members:
- serviceAccount:855312803173-compute@developer.gserviceaccount.com
- serviceAccount:855312803173@cloudservices.gserviceaccount.com
role: roles/editor
members:
- user:my_google_user role: roles/owner
从日志视图:
2020-01-28 16:46:30.932 EET Compute Engine list zones cloud66@project_id.iam.gserviceaccount.com PERMISSION_DENIED
code: 7
message: "PERMISSION_DENIED"
看看documentation first. Usually such error occurs if your service account doesn't have enough permissions. In this case, you should check available roles, search there for required permission like compute.zones. and add it to your service account as it described here. For example it could be Compute Instance Admin (v1) role。
编辑 看起来 Compute Admin role 应该适合您。可以肯定的是,使用命令检查项目中授予的角色:
gcloud projects get-iam-policy YOUR_PROJECT_ID
如果想通过云 API 从某些应用程序使用您的服务帐户,请查看此 instructions。
EDIT2 按照 documentation 中的描述,尝试从第 3 处(例如某些 linux 桌面或服务器)检查您的服务帐户和密钥。
第一次创建服务帐号"cloud66"是在Google测试期。这很可能会影响访问权限。然后我将计费从测试期切换到付费期。我在 "APIs & Services -> Credentials" 部分删除并重新创建了 cloud66 服务帐户。但是 "cloud66" 的访问策略在 "IAM" 部分具有 "ComputeAdmin" 的角色。当我从 "IAM" 部分删除访问策略并重新创建服务帐户时,问题就解决了。