弄清楚了
所以有两种方法可以解决这个问题:
选项1:
我没有使项目能够访问用于加密/解密存储桶的 KMS 密钥。以我自己的身份登录时,我能够通过在 cli 中运行以下命令进行测试:
gsutil kms authorize -p PROJECTNAME -k projects/PROJECTNAME/locations/global/keyRings/KEYRINGNAME/cryptoKeys/KEYNAME- 然后我以服务帐户登录并尝试上传文件。这样做之后就成功了。
选项 2:
- 在使用云控制台挖掘之后,我发现有一个存储服务帐户需要访问加密解密。此帐户列在存储 > 设置 > 云存储服务帐户下。
- GCP 似乎将实际工作委派给该帐户以执行上传任务。因此,虽然它具有存储桶访问权限(显然,因为它是存储服务帐户),但它没有 KMS 访问权限。将 KMS 加密/解密添加到此 SA 后,它现在自动为我工作,无需任何 gsutil 干预。
我还更新了用于上传的 SA 凭证的范围,使其同时具有 cloudkms 和 devstorage.full_control。不过,我不确定这是否会影响任何事情。
原始问题:
我正在为多租户托管环境自动创建服务帐户、存储桶和 KMS 密钥环和密钥的工作流程。
我有一个具有有限 KMS、SA 和存储权限的服务帐户,可以创建其他服务帐户并允许他们成为自己的租户项目的管理员(例如:为租户创建服务帐户,它可以完全控制租户的 KMS 和存储桶,而不是其他租户的)。
但是,我目前遇到了让新服务帐户能够上传文件的问题。它拥有所需的所有权限:
1. KMS Admin 及其 KeyRing 的加密/解密
2. Storage Bucket Admin
但是,当我尝试使用该服务帐户上传内容时出现以下错误
[403] Errors [
Message[Permission denied on Cloud KMS key.
Please ensure that your Cloud Storage service
account has been authorized to use this key. ]
Location[ - ]
Reason[forbidden]
Domain[global]
这是我用来分配权限的代码,后面是用于访问存储桶的代码:
class Program
{
private static string solutionLocation = Path.GetFullPath(Path.Combine(Directory.GetCurrentDirectory(), @".." + Path.DirectorySeparatorChar + ".." + Path.DirectorySeparatorChar + ".." + Path.DirectorySeparatorChar));
static void Main(string[] args)
{
//Deserialize the JSON File for use with other things
JSONCreds jsonCreds = JsonConvert.DeserializeObject<JSONCreds>(
File.ReadAllText(Path.Combine(solutionLocation, "gcp-general-sa.json")));
Environment.SetEnvironmentVariable("GOOGLE_APPLICATION_CREDENTIALS",
Path.Combine(solutionLocation, "gcp-general-sa.json"));
KeyManagementServiceClient client = KeyManagementServiceClient.Create();
StorageClient storageClient = StorageClient.Create();
//Collect Tenant ID for testing purposes
Console.WriteLine("Tenant ID?");
string TID = Console.ReadLine();
if (TID.Length > 23)
{
TID = TID.Substring(0, 23);
}
//Setting some variables that are used throughout
string keyID = "key-" + TID;
string keyRingName = "ring-" + TID;
string keyLocationID = "global";
string saName = "sa-" + TID;
//Create a Service Account for this agency
var newServiceAccount = CreateServiceAccount(jsonCreds.project_id, saName, saName);
//Create an API Key for this Service Account, and then decode it
var credential = GoogleCredential.GetApplicationDefault().CreateScoped(IamService.Scope.CloudPlatform);
var service = new IamService(new IamService.Initializer
{
HttpClientInitializer = credential
});
var newServiceAccountFullKey = service.Projects.ServiceAccounts.Keys.Create( new CreateServiceAccountKeyRequest(), "projects/-/serviceAccounts/" + newServiceAccount.Email).Execute();
var newServiceAccountKey = System.Text.ASCIIEncoding.ASCII.GetString(Convert.FromBase64String(newServiceAccountFullKey.PrivateKeyData));
Console.WriteLine("Created Service Account Key For: " + newServiceAccountFullKey.Name);
//Create KMS Key Ring for this agency
KeyRing newKeyRing = CreateKeyRing(client, jsonCreds.project_id, keyLocationID, keyRingName);
//Create a KMS Key in that new Key Ring
CryptoKey newKey = CreateCryptoKey(client, jsonCreds.project_id, keyLocationID, newKeyRing.KeyRingName.KeyRingId, keyID);
//Create Bucket with specified Parameters
Bucket bucket = new Bucket
{
Location = "us-central1",
Name = TID,
StorageClass = StorageClasses.Standard,
Encryption = new Bucket.EncryptionData()
{
DefaultKmsKeyName = newKey.Name
}
};
var newStorageBucket = storageClient.CreateBucket(jsonCreds.project_id, bucket);
//Set permissions for the new Service Account for the new KeyRing and Bucket
AddMemberToKeyRingPolicy(client, jsonCreds.project_id, keyLocationID, newKeyRing.KeyRingName.KeyRingId, "custom_role_with_multiple_permissions", "serviceAccount:" + newServiceAccount.Email);
AddBucketIamMember(newStorageBucket.Name, "roles/storage.admin", "serviceAccount:" + newServiceAccount.Email);
//Testing uploading to the new bucket with the new account
var newSACredential = GoogleCredential.FromJson(newServiceAccountKey.ToString()).CreateScoped("https://www.googleapis.com/auth/cloudkms");
var storage = StorageClient.Create(newSACredential);
using (var fileStream = new FileStream("sample_image.png", FileMode.Open, FileAccess.Read, FileShare.Read))
{
storage.UploadObject(newStorageBucket.Name, "sample_image_uploaded.png", null, fileStream);
}
}
有什么想法我可能做错了吗?看起来这是一个权限问题,但我几乎将存储和 KMS 的每一个都分配给了这个动态创建的新服务帐户。
全栈跟踪:
Google.GoogleApiException: Google.Apis.Requests.RequestError
Insufficient Permission [403]
Errors [
Message[Insufficient Permission] Location[ - ] Reason[insufficientPermissions] Domain[global]
]
at Google.Cloud.Storage.V1.StorageClientImpl.UploadHelper.CheckFinalProgress() in T:\src\github\google-cloud-dotnet\releasebuild\apis\Google.Cloud.Storage.V1\Google.Cloud.Storage.V1\StorageClientImpl.UploadObject.cs:204
at Google.Cloud.Storage.V1.StorageClientImpl.UploadHelper.Execute() in T:\src\github\google-cloud-dotnet\releasebuild\apis\Google.Cloud.Storage.V1\Google.Cloud.Storage.V1\StorageClientImpl.UploadObject.cs:154
at Google.Cloud.Storage.V1.StorageClientImpl.UploadObject(Object destination, Stream source, UploadObjectOptions options, IProgress`1 progress) in T:\src\github\google-cloud-dotnet\releasebuild\apis\Google.Cloud.Storage.V1\Google.Cloud.Storage.V1\StorageClientImpl.UploadObject.cs:97
at Google.Cloud.Storage.V1.StorageClientImpl.UploadObject(String bucket, String objectName, String contentType, Stream source, UploadObjectOptions options, IProgress`1 progress) in T:\src\github\google-cloud-dotnet\releasebuild\apis\Google.Cloud.Storage.V1\Google.Cloud.Storage.V1\StorageClientImpl.UploadObject.cs:70
at ConsoleApp1.Program.Main(String[] args) in /Users/btruman/Desktop/gcp_scripts/VOCA Onboarding/Program.cs:136