我在整个项目中扮演着所有者的角色。我不小心删除了一个默认的服务帐户,现在我无法启动任何VM实例。
我了解到,我可以使用gcloud alpha iam service-accounts undelete <ID>命令或类似的curl命令curl -X POST -H "Authorization: Bearer $(gcloud auth print-access-token)" "https://iam.googleapis.com/v1/projects/<project_id>/serviceAccounts/<ID>:undelete"来取消删除服务帐户,但两者都会给我以下错误:
PERMISSION_DENIED: Permission iam.serviceAccounts.undelete is required to perform this operation on service account
我在任何地方都找不到iam.serviceAccounts.undlete权限。所有者角色(我拥有(拥有所有其他iam.serviceAccounts权限(创建、删除、更新…(,但没有此权限。
我该如何运行该命令?
编辑:我的错,我一直在使用错误的serviceAccount ID,我在复制/粘贴时错过了最后一位。。。尽管如此,错误消息还是很奇怪。
好的,以下对我有效:
gcloud projects create ${PROJECT}
gcloud iam service-accounts create ${ROBOT} --project=${PROJECT}
ID=$(
gcloud iam service-accounts describe
${ROBOT}@${PROJECT}.iam.gserviceaccount.com
--project=${PROJECT}
--format="value(uniqueId)") && echo ${ID}
gcloud iam service-accounts delete ${ROBOT}@${PROJECT}.iam.gserviceaccount.com
--project=${PROJECT}
gcloud alpha iam service-accounts undelete ${ID} --project=${PROJECT}
收益率:
restoredAccount:
email: ${ROBOT}@${PROJECT}.iam.gserviceaccount.com
etag: ...
name: projects/${PROJECT}/serviceAccounts/${ROBOT}@${PROJECT}.iam.gserviceaccount.com
oauth2ClientId: '${ID}'
projectId: ${PROJECT}
uniqueId: '${ID}'
我也在默认的计算引擎帐户上尝试过,认为这可能会有不同的行为,但它也会取消删除:
NUM=$(gcloud projects describe ${PROJECT}
--format="value(projectNumber)")
ID=$(
gcloud iam service-accounts describe
${NUM}-compute@developer.gserviceaccount.com
--project=${PROJECT}
--format="value(uniqueId)") && echo ${ID}
gcloud iam service-accounts delete ${NUM}-compute@developer.gserviceaccount.com
--project=${PROJECT}
gcloud alpha iam service-accounts undelete ${ID} --project=${PROJECT}
向谷歌的Issue Tracker提交了一份FR,因为在删除帐户后,似乎无法(!?(枚举已删除的服务帐户来查找uniqueId。
扩展@halfer的答案,您可以通过查看活动日志来找到已删除的唯一id。利用时间可以缩小索引范围。查找Delete service account,然后它应该显示为${IAM account} deleted ${unique id}
链接:https://console.cloud.google.com/home/activity?project=${project}