0

我想创建一个 Data Fusion 实例并授予服务帐户读取和写入 BigQuery 的权限。我正在使用 Data Fusion 的 Beta 版,我的项目位于一个组织下。

gcloud services enable datafusion.googleapis.com
ACCESS_TOKEN="$(gcloud auth application-default print-access-token)"
PROJECT_ID=my-project-under-an-org
INSTANCE_ID=cdf-dev-0
curl --request POST --header "Authorization: Bearer $ACCESS_TOKEN" --header 'Content-Type: application/json' https://datafusion.googleapis.com/v1beta1/projects/$PROJECT_ID/locations/europe-west1/instances?instanceId=$INSTANCE_ID -d \"{'zone': 'europe-west1-b', 'enableStackdriverLogging': true, 'enableStackdriverMonitoring': true, 'labels': {}, 'networkConfig': {}, 'options': {}, 'privateInstance': false, 'type': 'ENTERPRISE'}\""

# retrieve service account so that permissions can be granted to it
SERVICE_ACCOUNT=$(curl --request GET --header "Authorization: Bearer $ACCESS_TOKEN" --header 'Content-Type: application/json' https://datafusion.googleapis.com/v1beta1/projects/$PROJECT_ID/locations/europe-west1/instances/$INSTANCE_ID | jq .serviceAccount)

gcloud projects add-iam-policy-binding $PROJECT_ID --member=serviceAccount:$SERVICE_ACCOUNT --role='roles/bigquery.dataEditor'

当我尝试授予权限时,出现以下错误:

ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.projects.add-iam-policy-binding) FAILED_PRECONDITION: One or more users named in the policy do not belong to a permitted customer.
- '@type': type.googleapis.com/google.rpc.PreconditionFailure
  violations:
  - description: User cloud-datafusion-management-sa@xxxx-tp.iam.gserviceaccount.com
      is not in permitted organization.
    subject: orgpolicy:projects/my-project-under-an-org?configvalue=cloud-datafusion-management-sa%xxxx-tp.iam.gserviceaccount.com
    type: constraints/iam.allowedPolicyMemberDomains

任何提示表示赞赏。

4

1 回答 1

0

策略修改失败是由域限制约束触发的,该约束在组织策略中用于限制基于域的资源共享。此域共享限制阻止将权限分配给服务帐户。解决方法是暂时禁用限制。

于 2019-07-29T21:37:50.237 回答