python - 用户没有存储桶的 storage.objects.list 访问权限

问题描述

我创建了一个服务帐户并分配了以下角色：

Owner
Storage Admin
Storage Object Admin
Tester

Tester是我为学习目的创建的具有以下权限的角色：

storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.setIamPolicy
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.setIamPolicy
storage.objects.update
...

我知道我不必要地过度使用这些角色的权限；但是，这仅用于测试目的。

考虑到存储桶只包含一个文件并且帐户具有相应的权限，下面的 Python 代码应该可以工作（在我的本地计算机上运行）：

from google.cloud import storage


if __name__ == '__main__':
    storage_client = storage.Client()
    bucket = storage_client.bucket('my-bucket-name')
    blobs = bucket.list_blobs()
    for blob in blobs:
        print(blob.name)

但它没有：

Traceback (most recent call last):
  File "gcloud/test.py", line 8, in <module>
    for blob in blobs:
  File "/home/user/.local/lib/python3.6/site-packages/google/api_core/page_iterator.py", line 212, in _items_iter
    for page in self._page_iter(increment=False):
  File "/home/berkay/.local/lib/python3.6/site-packages/google/api_core/page_iterator.py", line 243, in _page_iter
    page = self._next_page()
  File "/home/user/.local/lib/python3.6/site-packages/google/api_core/page_iterator.py", line 369, in _next_page
    response = self._get_next_page_response()
  File "/home/user/.local/lib/python3.6/site-packages/google/api_core/page_iterator.py", line 419, in _get_next_page_response
    method=self._HTTP_METHOD, path=self.path, query_params=params
  File "/home/user/.local/lib/python3.6/site-packages/google/cloud/_http.py", line 421, in api_request
    raise exceptions.from_http_response(response)
google.api_core.exceptions.Forbidden: 403 GET LINK: USER does not have storage.objects.list access to BUCKET.

桶使用统一的桶级访问控制。我正在使用的服务帐户是此存储桶的成员，它从以下位置继承此成员资格：

Storage Admin
Storage Object Admin
Tester

有人可以解释一下这种行为背后的原因吗？

谢谢

标签： pythongoogle-cloud-platformgoogle-cloud-storage