在GCP中执行pubsub函数时出现错误USER_PROJECT_DENIED

Question

我在GCP中有PubSub函数，它运行云托管的规则，并具有发送邮件的通知功能，即c7n邮件程序和调用c7n_mailer pubsub函数。现在，我正在对来自一个项目的所有项目运行此函数。

我已经检查并提供了所有的权限，cloudcustodian成功地对项目运行，但是当涉及到通知和对c7n_mailer pubsub运行时，它给了我下面的权限问题。

我已经通过在xxx项目中添加pubsub list / get等角色提供了权限，但仍然有问题。

Invalid JSON content from response: b'{\n "error": {\n "code": 403,\n "message": "Caller does not have required permission to use project xxx. Grant the caller the Owner or Editor role, or a custom role with the serviceusage.services.use permission, by visiting https://console.xxx.google.com/iam-admin/iam/project?project=xxx and then retry (propagation of new permission may take a few minutes).",\n "status": "PERMISSION_DENIED",\n "details": [\n {\n "@type": "type.googleapis.com/google.rpc.Help",\n "links": [\n {\n "description": "Google developer console IAM admin",\n "url": "https://console.developers.google.com/iam-admin/iam/project?project=xxx"\n }\n ]\n },\n {\n "@type": "type.googleapis.com/google.rpc.ErrorInfo",\n "reason": "USER_PROJECT_DENIED",\n "domain": "googleapis.com",\n "metadata": {\n "service": "pubsub.googleapis.com",\n "consumer": "projects/xxx"\n }\n }\n ]\n }\n}\n'

Answer 1

你的问题和谷歌的错误都将受益于更多的细节。

但是，从Google服务的403中可以清楚地看到，您没有为项目XXX上的服务帐户授予足够的权限：

Caller does not have required permission to use project xxx

在不知道帐户需要在项目XXX上做什么的情况下很难回答这个问题，但是，如果您只访问项目中的PubSub，我建议您跳过PubSub角色并重试：

https://cloud.google.com/pubsub/docs/access-control#roles