我在GCP中有PubSub函数,这是云托管的运行规则,并具有发送邮件的通知功能,即c7n mailer和调用c7n_mailer PubSub函数。现在,我将对一个项目中的所有项目运行此函数。
我已经检查并提供了所有权限,cloudcustodian成功地运行了项目,但是当涉及到通知并运行c7n_mailer pubsub时,它给了我以下权限问题。
我已经通过在xxx项目中添加pubsub list/get等角色提供了权限,但仍然遇到问题。
Invalid JSON content from response: b'{n "error": {n "code": 403,n "message": "Caller does not have required permission to use project xxx. Grant the caller the Owner or Editor role, or a custom role with the serviceusage.services.use permission, by visiting https://console.xxx.google.com/iam-admin/iam/project?project=xxx and then retry (propagation of new permission may take a few minutes).",n "status": "PERMISSION_DENIED",n "details": [n {n "@type": "type.googleapis.com/google.rpc.Help",n "links": [n {n "description": "Google developer console IAM admin",n "url": "https://console.developers.google.com/iam-admin/iam/project?project=xxx"n }n ]n },n {n "@type": "type.googleapis.com/google.rpc.ErrorInfo",n "reason": "USER_PROJECT_DENIED",n "domain": "googleapis.com",n "metadata": {n "service": "pubsub.googleapis.com",n "consumer": "projects/xxx"n }n }n ]n }n}n'
你的问题和谷歌的错误都将受益于更多的细节。
但是,从Google服务的403中可以清楚地看出,您对项目XXX的服务帐户授予的权限不足:
Caller does not have required permission to use project xxx
在不知道帐户在项目XXX上需要做什么的情况下很难回答这个问题,但是,如果您只在项目中访问PubSub,我建议您跳过PubSub角色并再试一次:
https://cloud.google.com/pubsub/docs/access-control角色