我正在编写一个 Python 脚本来检查谷歌云存储中存在的一些文件的内容,如果它们包含一些 PII。脚本如下
dlp = google.cloud.dlp_v2.DlpServiceClient()
url = "gs://{}/{}".format("my-bucket-name", "my_file_name")
storage_config = {"cloud_storage_options": {"file_set": {"url": url}}}
parent = dlp.project_path("my-project-name")
inspect_job = {
"inspect_config": inspect_config,
"storage_config": storage_config
}
operation = dlp.create_dlp_job(parent, inspect_job=inspect_job)
job_done = threading.Event()
job = dlp.get_dlp_job(operation.name)
try:
if job.inspect_details.result.info_type_stats:
for finding in job.inspect_details.result.info_type_stats:
print("Info type: {}; Count: {}".format(finding.info_type.name, finding.count))
else:
print("No findings.")
job_done.set()
except Exception as e:
print(e)
raise
finished = job_done.wait(timeout=3000)
if not finished:
print(
"No event received before the timeout. Please verify that the "
"subscription provided is subscribed to the topic provided."
)
我在文档中读到 DLP API 使用所需的权限集创建了自己的服务帐户。
启用 Cloud DLP 后,服务帐号会添加到项目中。
为了通过 JobTrigger 访问 Google Cloud 资源并执行对 Cloud DLP 的调用,Cloud DLP 使用 Google API 服务帐户的凭据向其他 API 进行身份验证。Google API 服务帐户专门设计用于代表您运行内部 Google 流程。可以使用电子邮件识别服务帐户:
服务-[PROJECT_NUMBER]@dlp-api.iam.gserviceaccount.com
当我运行代码时,我收到一个 403 错误,指出它没有所需的权限 dlp.jobs.create。我更新了帐户的 IAM 策略以包含具有以下提到的策略集的自定义角色(因为这只是一个用于学习目的的项目)。
dlp.analyzeRiskTemplates.create
dlp.analyzeRiskTemplates.delete
dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list
dlp.analyzeRiskTemplates.update
dlp.deidentifyTemplates.create
dlp.deidentifyTemplates.delete
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
dlp.deidentifyTemplates.update
dlp.inspectTemplates.create
dlp.inspectTemplates.delete
dlp.inspectTemplates.get
dlp.inspectTemplates.list
dlp.inspectTemplates.update
dlp.jobTriggers.create
dlp.jobTriggers.delete
dlp.jobTriggers.get
dlp.jobTriggers.list
dlp.jobTriggers.update
dlp.jobs.cancel
dlp.jobs.create
dlp.jobs.delete
dlp.jobs.get
dlp.jobs.list
dlp.kms.encrypt
dlp.storedInfoTypes.create
dlp.storedInfoTypes.delete
dlp.storedInfoTypes.get
dlp.storedInfoTypes.list
dlp.storedInfoTypes.update
serviceusage.services.use
我的服务帐户有两个单独的权限集:
- DLP 权限单独:
- dlp.jobs.create
- dlp.jobs.cancel
- dlp.jobs.delete
- dlp.jobs.get
- dlp.jobs.list
所有者权限,因此它可以不受限制地访问所有谷歌资源。
- 角色/所有者
但是,当我现在运行脚本时,它仍然给出以下错误:
grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.PERMISSION_DENIED
details = "Not allowed, access denied for permission dlp.jobs.create."
debug_error_string = "{"created":"@1581682593.219000000","description":"Error received from peer ipv4:xxx.xxx.x.x","file":"src/core/lib/surface/call.cc","file_line":1056,"grpc_message":"Not allowed, access denied for permission dlp.jobs.create.","grpc_status":7}"
google.api_core.exceptions.PermissionDenied: 403 Not allowed, access denied for permission dlp.jobs.create.