创建新的服务帐户来处理 Container Builder 作业时,尽管服务帐户具有 Cloud Container Builder
,但作业仍会失败并出现以下错误, Logs Viewer
和Private Logs viewer
:
ERROR: (gcloud.container.builds.submit) HTTPError 403:
<?xml version='1.0' encoding='UTF-8'?>
<Error>
<Code>AccessDenied</Code>
<Message>Access denied.</Message>
<Details>v2-container-builder@redacted.iam.gserviceaccount.com does not have storage.objects.get access to object redacted.cloudbuild-logs.googleusercontent.com/log-20117c17-f2b4-4159-9883-104ddd7bb232.txt.
</Details>
</Error>
我了解错误指向 storage.objects.get
对云存储上文件的权限,但这不是我们可以设置的存储桶acl
是因为吗?
最佳答案
以下是 David Bendory(Google Cloud Container Builder 技术主管)的引述:this thread :
GCS permissions predate IAM and thus work a little differently. To view the logs, the Service Account in question needs to be a Viewer on the project in addition to have the Builder Editor role.
关于google-cloud-platform - 服务帐户需要哪些范围/角色才能提交容器构建器作业?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/45602447/