0

我有 2 个存储桶,即 prod 和 staging,并且我有一个服务帐户。我想将此帐户限制为只能访问暂存存储桶。现在我在https://cloud.google.com/iam/docs/conditions-overview上看到这应该是可能的。我创建了一个policy.json这样的

{
  "bindings": [
    {
      "role": "roles/storage.objectCreator",
      "members": "serviceAccount:staging-service-account@lalala-co.iam.gserviceaccount.com",
      "condition": {
        "title": "staging bucket only",
        "expression": "resource.name.startsWith(\"projects/_/buckets/uploads-staging\")"
      }
    }
  ]
}

但是当我开火时,gcloud projects set-iam-policy lalala policy.json我得到:

The specified policy does not contain an "etag" field identifying a
specific version to replace. Changing a policy without an "etag" can
overwrite concurrent policy changes.

Replace existing policy (Y/n)?

ERROR: (gcloud.projects.set-iam-policy) INVALID_ARGUMENT: Can't set conditional policy on policy type: resourcemanager_projects and id: /lalala

我觉得我误解了角色、策略和服务帐户之间的关系。但无论如何:是否可以以这种方式限制服务帐户?

4

1 回答 1

0

根据评论,我能够解决我的问题。显然存储桶权限有点特殊,但我能够使用 gsutil 在存储桶上设置允许我的用户访问的策略:

gsutils iam ch serviceAccount:staging-service-account@lalala.iam.gserviceaccount.com:objectCreator gs://lalala-uploads-staging

触发此操作后,访问按预期进行。我发现这没有反映在服务帐户策略中有点令人困惑:

% gcloud iam service-accounts get-iam-policy staging-service-account@lalala.iam.gserviceaccount.com
etag: ACAB

感谢大家

于 2019-03-01T09:33:33.750 回答