无法更改服务帐户用户GCLOUD GCP

发布于 2025-02-04 08:42:00 字数 600 浏览 6 评论 0原文

我仍然想知道应该如何更改服务帐户用户。假设我有2个服务帐户（A和B），每个用户在不同的项目中都具有不同的作用。完成使用用户B后，当我想更改到服务帐户A并访问资源时，GCLOUD命令说

Error from server (Forbidden): pods is forbidden: User "[email protected]" cannot list resource "pods" in API group "" in the namespace "default": requires one of ["container.pods.list"] permission(s).

我已经完成了使用gcloud config set actif [service-account]更改我的服务帐户用户。，但是GCLOUD仍然读取另一个服务帐户。我错过了什么吗？

原文

I still wondering how supposed to do to change the service account user. Let say I have 2 service account (A and B), which each user has different role in different project. After done being use user B, when I want to change to service account A and access the resource, gcloud command says

Error from server (Forbidden): pods is forbidden: User "[email protected]" cannot list resource "pods" in API group "" in the namespace "default": requires one of ["container.pods.list"] permission(s).

I'm done change my service account user with gcloud config set account [service-account], but the gcloud still read another service account. Did I missed something?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

千里故人稀 2025-02-11 08:42:00

这是我认为您在做什么的一个人为的例子：

# gcloud is using my regular User credentials
gcloud config get account
[email protected]

# Access GKE as [email protected]
kubectl get pods --namespace=default
pod/foo-c7b7995df-vxrmh

# Authenticate as a GCP Service Account with **no** permissions
EMAIL="{ACCOUNT}@{PROJECT}.iam.gserviceaccount.com"
gcloud auth activate-service-account ${EMAIL} \
--key-file=${KEY_FILE}

# gcloud is now using the Service Account credentials
gcloud config get account
${EMAIL}

# Using new GKE auth plugin
gke-gcloud-auth-plugin \
| jq -r .status.expirationTimestamp
2022-00-00T17:10:00Z

# Need to either delete the token
# Or wait until 17:10 for it to expire
# Then...
kubectl get pods --namespace=default
Error from server (Forbidden): pods is forbidden: ...

error erser中的错误（禁止）：禁止pods：用户“ {account}@{project} .iam.gserviceaccount.com”在API组中无法列出资源“ PODS” “”“命名空间”中的“默认值”：需要[container.pods.list']许可（s）。

一个解决方案是授予GCP（！！）服务帐户 kubernetes发动机角色有权列出pods，即container.pods。 *是角色/container.developer的一部分：

# Grant the Service Account Kubernetes Engine role
ROLE="roles/container.developer"
gcloud projects add-iam-policy-binding ${PROJECT} \
--member=serviceAccount:${EMAIL} \
--role=${ROLE}

# Try again
kubectl get pods --namespace=default --output=name
pod/foo-c7b7995df-vxrmh

Here's a contrived example of what I think you're doing:

# gcloud is using my regular User credentials
gcloud config get account
[email protected]

# Access GKE as [email protected]
kubectl get pods --namespace=default
pod/foo-c7b7995df-vxrmh

# Authenticate as a GCP Service Account with **no** permissions
EMAIL="{ACCOUNT}@{PROJECT}.iam.gserviceaccount.com"
gcloud auth activate-service-account ${EMAIL} \
--key-file=${KEY_FILE}

# gcloud is now using the Service Account credentials
gcloud config get account
${EMAIL}

# Using new GKE auth plugin
gke-gcloud-auth-plugin \
| jq -r .status.expirationTimestamp
2022-00-00T17:10:00Z

# Need to either delete the token
# Or wait until 17:10 for it to expire
# Then...
kubectl get pods --namespace=default
Error from server (Forbidden): pods is forbidden: ...

ERROR Error from server (Forbidden): pods is forbidden: User "{ACCOUNT}@{PROJECT}.iam.gserviceaccount.com" cannot list resource "pods" in API group "" in the namespace "default": requires one of ["container.pods.list"] permission(s).

One solution is to grant the GCP (!) Service Account one of the Kubernetes Engine roles that has permission to list Pods, i.e. container.pods.* which is part of roles/container.developer:

# Grant the Service Account Kubernetes Engine role
ROLE="roles/container.developer"
gcloud projects add-iam-policy-binding ${PROJECT} \
--member=serviceAccount:${EMAIL} \
--role=${ROLE}

# Try again
kubectl get pods --namespace=default --output=name
pod/foo-c7b7995df-vxrmh

回复收藏 0 原文

~没有更多了~