0

我无法在我的 AI Platform Notebook 中更新 IAM 政策。

我创建了一个新的 AI Platform Notebooks 实例:

gcloud beta notebooks instances create nb1 \
 --vm-image-project=deeplearning-platform-release \
 --vm-image-family=tf-latest-cpu \
 --machine-type=n1-standard-4 \
 --location=us-west1-b

当我尝试应用新的 IAM 策略时出现错误:

gcloud beta notebooks instances set-iam-policy nb1 --location=us-west1-b notebooks.policy

错误:(gcloud.beta.notebooks.instances.set-iam-policy)内部:发生内部错误(506011f7-b62e-4308-9bde-10b97dd7b99c)

我的政策如下所示:

{
  "bindings": [
    {
      "members": [
        "user:myuser@gmail.com",   
      ],
      "role": "roles/notebooks.admin"
    }
  ],
  "etag": "BwWlgdvxWT0=",
  "version": 1
}

当我做一个

gcloud beta notebooks instances get-iam-policy nb1 --location=us-west1-b --format=json

我得到:

ACAB

因为没有制定政策。

4

1 回答 1

0

请看一下 etag 字段:

在对 getIamPolicy 的响应中返回一个 etag,系统应将该 etag 放入对 setIamPolicy 的请求中,以确保它们的更改将应用​​于同一版本的策略。

这里的文档

string (bytes format)

etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the etag in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An etag is returned in the response to getIamPolicy, and systems are expected to put that etag in the request to setIamPolicy to ensure that their change will be applied to the same version of the policy.

Important: If you use IAM Conditions, you must include the etag field whenever you call setIamPolicy. If you omit this field, then IAM allows you to overwrite a version 3 policy with a version 1 policy, and all of the conditions in the version 3 policy are lost.

A base64-encoded string.

您可以轻松地将您的策略​​ etag 更改为默认的 ACAB。

{
  "bindings": [
    {
      "members": [
        "user:myuser@gmail.com",   
      ],
      "role": "roles/notebooks.admin"
    }
  ],
  "etag": "ACAB",
  "version": 1
}

或者您可以使用add-iam-policy-binding命令创建一个新策略,然后您可以使用提取 etagget-iam-policy并使用它更新您的 JSON 文件,最后运行set-iam-policy

你也可以使用这种格式:

{
  "policy": {
    "bindings": [
        {
          "members": [
            "user:myuser@gmail.com"
          ],
          "role": "roles/notebooks.admin"
        }
      ],
      "etag": "ACAB",
      "version": 1
    }
}
于 2020-05-13T08:06:00.983 回答