我正在编写一个Python函数,该功能使用服务帐户凭据调用Google Cloudsqladmin API将数据库导出到存储桶中。
服务帐户已获得项目所有者的权限,并且该存储桶为项目所有者设置了权限。SQLADMIN API已为我们的项目启用。
Python代码:
from google.oauth2 import service_account
from googleapiclient.discovery import build
import googleapiclient
import json
def main():
SCOPES = ['https://www.googleapis.com/auth/sqlservice.admin', 'https://www.googleapis.com/auth/cloud-platform', 'https://www.googleapis.com/auth/devstorage.full_control']
SERVICE_ACCOUNT_FILE = './creds/service-account-credentials.json'
PROJECT = "[REDACTED]"
DB_INSTANCE = "[REDACTED]"
BUCKET_PATH = "gs://[REDACTED]/[REDACTED].sql"
DATABASES = [REDACTED]
BODY = { # Database instance export request.
"exportContext": { # Database instance export context. # Contains details about the export operation.
"kind": "sql#exportContext", # This is always sql#exportContext.
"fileType": "SQL", # The file type for the specified uri.
# SQL: The file contains SQL statements.
# CSV: The file contains CSV data.
"uri": BUCKET_PATH, # The path to the file in Google Cloud Storage where the export will be stored. The URI is in the form gs://bucketName/fileName. If the file already exists, the requests succeeds, but the operation fails. If fileType is SQL and the filename ends with .gz, the contents are compressed.
"databases": DATABASES,
},
}
credentials = service_account.Credentials.from_service_account_file(SERVICE_ACCOUNT_FILE, scopes=SCOPES)
sqladmin = googleapiclient.discovery.build('sqladmin', 'v1beta4', credentials=credentials)
response = sqladmin.instances().export(project=PROJECT, instance=DB_INSTANCE, body=BODY).execute()
print(json.dumps(response, sort_keys=True, indent=4))
运行此代码将网络网络以下错误:
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "[REDACTED]/main.py", line 47, in hello_pubsub
response = sqladmin.instances().export(project=PROJECT, instance=DB_INSTANCE, body=BODY).execute()
File "/usr/local/lib/python3.7/site-packages/googleapiclient/_helpers.py", line 130, in positional_wrapper
return wrapped(*args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/googleapiclient/http.py", line 851, in execute
raise HttpError(resp, content, uri=self.uri)
googleapiclient.errors.HttpError: <HttpError 403 when requesting https://www.googleapis.com/sql/v1beta4/projects/[REDACTED]/instances/[REDACTED]/export?alt=json returned "The service account does not have the required permissions for the bucket.">
我已经在2个GCP项目中尝试了这一点,并具有多个服务帐户,并具有不同的权限。
相关问题:从云存储到云SQL导入CSV时,拒绝服务帐户(许可问题?) - 此问题是由不正确的权限引起的,这情况并非如此,因为该帐户具有项目所有者权限
Google云使用身份和访问管理系统来管理资源:IAM。
每个云SQL实例都使用具有权限的相应服务帐户。要查找您的Cloud SQL服务帐户名称:
Console&gt;sql&gt;实例名称&gt;服务帐户
使用此服务帐户名称,您可以授予存储库的访问控制权限,从:存储管理员,存储对象管理,存储对象创建者,存储对象查看器。
遵循最低特权原则,您只需要添加:存储对象创建者,允许导出到云存储存储桶中。
文档中包括详细的存储访问角色描述。
这些是对我有用的最小权限分配。
请记住,有两个相关的服务帐户。第一个是一个服务帐户,该帐户是在配置GCP Cloud SQL实例时自动创建的。该服务帐户的名称类似于p746284857472-d3jdkw@gcp-sa-cloud-sql.iam.gserviceaccount.com。
第二个服务帐户是您自己创建的帐户;我们称此服务帐户cloud-sql-export。我们还假设我们的GCP项目ID是my_gcp_project_id。
这是权限:
-
创建一个将
storage.admin角色分配给云SQL服务帐户的策略,并将此策略分配给要导出数据的存储库。这是Terraform代码:data "google_iam_policy" "cloud_sql_bucket_admin" { binding { role = "roles/storage.admin" members = [ "serviceAccount:p746284857472-d3jdkw@gcp-sa-cloud-sql.iam.gserviceaccount.com", ] } } resource "google_storage_bucket_iam_policy" "mypolicy" { bucket = "mybucketname" policy_data = data.google_iam_policy.cloud_sql_bucket_admin.policy_data } -
对于其他权限,我创建了角色,并将该角色分配给自定义
cloud-sql-export服务帐户:resource "google_project_iam_custom_role" "cloudsql-export-bucket-role" { role_id = "cloudsqlExportBucketRole" title = "Cloud SQL Export to Bucket Role" description = "Export from Cloud SQL and write to buckets" permissions = ["cloudsql.instances.get", "cloudsql.instances.export"] } resource "google_project_iam_member" "cloudsql_archive_role_bind" { project = "my_gcp_project_id" role = "projects/my_gcp_project_id/roles/cloudsqlExportBucketRole" member = "serviceAccount:cloud-sql-export@my_gcp_project_id.iam.gserviceaccount.com" }
(这是对露西·纳利(Lucy Nunley)对原始问题的评论的扩展。)
略有主题,但应提及:错误消息
(gcloud.sql.import.csv)httperror 403:服务帐户没有存储桶所需的权限。
如果文件 *在存储桶上不存在或使用通配符(如GCLOUD SQL SQL导入CSV上提到的情况,当导入文件包含WildCard时,请使用权限错误)也会发生。因此,也许在花费数小时调试Permisson之前,如果文件确实存在(在我的情况下,请在此期间进行清理工作,并且我的测试文件被删除了...)。