服务帐户无法列出“403”-“没有storage.buckets.list访问”的桶

Question

我有两个不同的服务帐户。

他们有同样的角色：

my-user@my-computer:~$ service_account_basename=working-account
my-user@my-computer:~$ service_account="$service_account_basename@$project.iam.gserviceaccount.com"
my-user@my-computer:~$ gcloud projects get-iam-policy "$(gcloud config get-value project)" \
>   --flatten="bindings[].members" \
>   --format='table(bindings.role)' \
>   --filter="bindings.members:$service_account"
ROLE
roles/compute.instanceAdmin.v1
roles/compute.securityAdmin
roles/iam.serviceAccountUser
roles/storage.admin
roles/storage.objectViewer

my-user@my-computer:~$ service_account_basename=broken-account
my-user@my-computer:~$ service_account="$service_account_basename@$project.iam.gserviceaccount.com"
my-user@my-computer:~$ gcloud projects get-iam-policy "$(gcloud config get-value project)" \
>   --flatten="bindings[].members" \
>   --format='table(bindings.role)' \
>   --filter="bindings.members:$service_account"
ROLE
roles/compute.instanceAdmin.v1
roles/compute.securityAdmin
roles/iam.serviceAccountUser
roles/storage.admin
roles/storage.objectViewer

一个帐户可以很好地列出桶：

my-user@my-computer:~$ service_account_basename=working-account
my-user@my-computer:~$ service_account="$service_account_basename@$project.iam.gserviceaccount.com"
my-user@my-computer:~$ key_file="$service_account_basename.json"
my-user@my-computer:~$ gcloud iam service-accounts keys create "$key_file"  --iam-account "$service_account"
created key [8ead916d3d004522aa6e51608d42e85e] of type [json] as [working-account.json] for [working-account@my-project.iam.gserviceaccount.com]
my-user@my-computer:~$ gcloud auth activate-service-account --key-file "$key_file"
Activated service account credentials for: [working-account@my-project.iam.gserviceaccount.com]

my-user@my-computer:~$ gsutil ls
gs://bucket-1
gs://bucket-2
gs://bucket-3
gs://bucket-4
gs://bucket-5

..。如果另一种失败：

my-user@my-computer:~$ service_account_basename=broken-account
my-user@my-computer:~$ service_account="$service_account_basename@$project.iam.gserviceaccount.com"
my-user@my-computer:~$ key_file="$service_account_basename.json"
my-user@my-computer:~$ gcloud iam service-accounts keys create "$key_file"  --iam-account "$service_account"
created key [9930c9c6ded24e87a44633aaf35f5ae5] of type [json] as [broken-account.json] for [broken-account@my-project.iam.gserviceaccount.com]
my-user@my-computer:~$ gcloud auth activate-service-account --key-file "$key_file"
Activated service account credentials for: [broken-account@my-project.iam.gserviceaccount.com]

my-user@my-computer:~$ gsutil ls
AccessDeniedException: 403 broken-account@my-project.iam.gserviceaccount.com does not have storage.buckets.list access to project 533113984589.

错误消息引用的项目是我的项目，因为打印出来的数字(533113984589)是我的项目编号：

my-user@my-computer:~$ gcloud projects describe my-project --format="get(projectNumber)"
533113984589

有人知道出了什么问题吗？

Answer 1

我怀疑这种行为与重新创建以前删除的服务帐户和使用相同的名称有关。

若要放弃这种情况，请查看查询日志使用以下参数进行的Stackdriver：

    resource.type="service_account"
    protoPayload.methodName="google.iam.admin.v1.DeleteServiceAccount"
    resource.labels.email_id="BROKEN_SA@PROJECT_ID.iam.gserviceaccount.com"

我们向这里解释了如何创建同名的新服务帐户。

此外，您还可以尝试创建一个全新的服务帐户，授予相同的角色并查看它的行为。