GCP 服务帐户凭据被忽略？

Question

直到昨天，我还能够在 GCP 上运行一个应用程序来侦听 PubSub 并将数据写入 BigTable，但到今天为止，我似乎没有有效的身份验证了。

我是这样进行的：

1. 我动态创建了一个服务帐户：

gcloud iam service-accounts create ${SERVICE_ACCOUNT} \ --display-name "$(whoami) dev account" --project ${PROJECT_ID}

1. 我为此帐户创建一个 JSON 密钥文件：

gcloud iam service-accounts keys create \ "auth-${SERVICE_ACCOUNT}@${PROJECT_ID}.json" --iam-account=${IAM_ACCOUNT} \ --project ${PROJECT_ID}

1. 我从这个 JSON 文件创建了一个 kubectl 密钥：

kubectl create secret generic ingester-key \ --from-file=key.json="auth-${SERVICE_ACCOUNT}@${PROJECT_ID}.json"

4. 我将此帐户绑定到管理员角色：

bindings: - members: - serviceAccount:marcello-dev@noisy-turtle-20171031.iam.gserviceaccount.com - serviceAccount:service-480932822351@container-engine-robot.iam.gserviceaccount.com role: roles/bigtable.admin - members: - serviceAccount:marcello-dev@noisy-turtle-20171031.iam.gserviceaccount.com role: roles/bigtable.user - members: - serviceAccount:service-480932822351@container-engine-robot.iam.gserviceaccount.com role: roles/container.serviceAgent - members: - serviceAccount:480932822351-compute@developer.gserviceaccount.com - serviceAccount:480932822351@cloudservices.gserviceaccount.com - serviceAccount:service-480932822351@containerregistry.iam.gserviceaccount.com role: roles/editor - members: - user:marcello@XXXEDITEDXXX role: roles/owner - members: - serviceAccount:service-480932822351@container-engine-robot.iam.gserviceaccount.com role: roles/pubsub.admin - members: - serviceAccount:marcello-dev@noisy-turtle-20171031.iam.gserviceaccount.com role: roles/pubsub.editor - members: - serviceAccount:marcello-dev@noisy-turtle-20171031.iam.gserviceaccount.com role: roles/storage.admin - members: - serviceAccount:marcello-dev@noisy-turtle-20171031.iam.gserviceaccount.com role: roles/storage.objectAdmin - members: - serviceAccount:marcello-dev@noisy-turtle-20171031.iam.gserviceaccount.com role: roles/storage.objectCreator - members: - serviceAccount:marcello-dev@noisy-turtle-20171031.iam.gserviceaccount.com role: roles/storage.objectViewer

5. 我获得了kubectl 的集群凭据：

gcloud container clusters get-credentials ingester-cluster --zone us-east1-b --project noisy-turtle-20171031

然后我启动 kubernetes 集群（为简洁起见，此处未显示），并在日志文件中打印出我正在使用的凭据，以验证服务帐户是否正确：

"Account: ServiceAccountCredentials{clientId\u003d117494744145141605372, clientEmail\u003dmarcello-dev@noisy-turtle-20171031.iam.gserviceaccount.com, privateKeyId\u003dad79da59c0a75c2b358d530d63d9a8898523f3cb, transportFactoryClassName\u003dcom.google.auth.oauth2.OAuth2Utils$DefaultHttpTransportFactory, tokenServerUri\u003dhttps://accounts.google.com/o/oauth2/token, scopes\u003d[], serviceAccountUser\u003dnull}"

发现clientEmail和我的服务账号匹配。

几个周期后，应用程序崩溃：

Exception in thread "main" java.io.IOException: Failed to listTables ... Caused by: io.grpc.StatusRuntimeException: PERMISSION_DENIED: Access denied. Missing IAM permission: bigtable.tables.list.

有什么想法吗？

Answer 1

我找到了缺失的部分：在第 2 步之后，您需要激活服务帐户密钥：

gcloud auth activate-service-account ${IAM_ACCOUNT} --key-file="auth-${SERVICE_ACCOUNT}@${PROJECT_ID}.json"