我有 Django 测试用例 test_retrieve_bucket 来测试对 GCP 存储桶的访问。
from django.test import SimpleTestCase, TestCase
from google.cloud import storage
class DemoTest(TestCase):
def setUp(self):
self.expense = Expense.objects.create(
invoice_number = "ABC",
account_number = "123",
customer_name = "XYZ",
invoice_amount = 12.50,
invoice_date = datetime.now()
)
def test1(self):
return self.expense.invoice_number == "ABC"
def test2(self):
return self.expense.account_number == "123"
def test3(self):
return self.expense.customer_name == "XYZ"
def test_retrieve_bucket(self):
bucket = "test_bucket_8866"
client = storage.Client()
bucket = client.bucket(bucket)
return self.assertTrue(bucket.exists())
但是,测试失败,这是我收到的错误:
google.api_core.exceptions.Forbidden:403 GET https://storage.googleapis.com/storage/v1/b/test_bucket_8866?fields=name&prettyPrint=false:[电子邮件受保护] 没有 storage.buckets。访问 Google Cloud Storage 存储桶。资源上的权限“storage.buckets.get”被拒绝(或者它可能不存在)。
我使用的服务帐户还具有存储对象管理权限,这应该使我能够访问存储桶:
这是我的工作流程文件:
name: Django CI
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
jobs:
build:
runs-on: ubuntu-latest
strategy:
max-parallel: 4
matrix:
python-version: [3.12.4]
steps:
- uses: actions/checkout@v4
- name: auth
uses: google-github-actions/[email protected]
with:
workload_identity_provider: 'projects/334572487877/locations/global/workloadIdentityPools/learn-github-actions-pool/providers/github-cdci'
service_account: '[email protected]'
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v3
with:
python-version: ${{ matrix.python-version }}
- name: Install Dependencies
run: |
pip install pipenv && pipenv install --system
- name: Run Tests
run: |
python manage.py test
permissions:
contents: 'read'
id-token: 'write'
当我使用上面的服务帐户在本地运行 Django 测试时,所有测试都通过了。我还有什么遗漏的吗?
编辑:
这是我用来将角色 WorkloadIdentityUser 添加到工作负载身份池的命令:
gcloud iam service-accounts add-iam-policy-binding "[email protected]" \
--project="tbi-finance" \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/projects/334572487877/locations/global/workloadIdentityPools/learn-github-actions-pool/attribute.repository/duybtr/django_cdci"
我能够复制你的解决方案,但是......天哪!
为了简单起见,我将列举我创建的各种资源,希望您能够推断出让您工作的差异。
根据此评论我鼓励您添加:
checkout
之后和auth
token_format: access_token
(如果还没有)steps:
- name: checkout
uses: actions/checkout@v4
- name: oidc-debugger
uses: github/actions-oidc-debugger@main
with:
audience: https://iam.googleapis.com/{PROVIDER}
- name: auth
uses: google-github-actions/auth@v2
with:
workload_identity_provider: {PROVIDER}
service_account: {EMAIL}
create_credentials_file: true
token_format: access_token
警惕转移注意力的事情。我收到的错误与您不同,但这是配置错误的结果,而不是因为 Google 项目的 IAM 不正确:
错误:google-github-actions/auth 失败:无法为 ${EMAIL} 生成 Google Cloud OAuth 2.0 访问令牌:
{
"error": {
"code": 403,
"message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
"status": "PERMISSION_DENIED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "IAM_PERMISSION_DENIED",
"domain": "iam.googleapis.com",
"metadata": {
"permission": "iam.serviceAccounts.getAccessToken"
}
}
]
}
}
gcloud iam workload-identity-pools describe ${POOL} \
--project="${PROJECT}" \
--location="global"
displayName: GitHub Actions Pool
name: projects/{NUMBER}/locations/global/workloadIdentityPools/{POOL}
state: ACTIVE
gcloud iam workload-identity-pools providers describe ${PROVIDER} \
--project=${PROJECT} \
--location="global" \
--workload-identity-pool=${POOL}
attributeCondition: assertion.repository_owner=="{OWNER}" && assertion.repository=="{OWNER}/{REPO}"
attributeMapping:
attribute.actor: assertion.actor
attribute.repository: assertion.repository
attribute.repository_owner: assertion.repository_owner
google.subject: assertion.sub
displayName: {PROVIDER}
name: projects/{NUMBER}/locations/global/workloadIdentityPools/{POOL}/providers/{PROVIDER}
oidc:
issuerUri: https://token.actions.githubusercontent.com
state: ACTIVE
gcloud projects get-iam-policy ${PROJECT}
bindings:
- members:
- serviceAccount:{EMAIL}
role: roles/iam.serviceAccountTokenCreator
- members:
- user:{ME}
role: roles/owner
- members:
- serviceAccount:{EMAIL}
role: roles/storage.admin
etag: [REDACTED]
version: 1
注意 根据我的评论,该项目的政策没有
;该角色存在于服务帐户的策略中roles/iam.workloadIdentityUser
gcloud iam service-accounts get-iam-policy ${EMAIL}
bindings:
- members:
- principalSet://iam.googleapis.com/projects/{NUMBER}/locations/global/workloadIdentityPools/{POOL}/attribute.repository/{OWNER}/{REPO}
role: roles/iam.workloadIdentityUser
etag: [REDACTED]
version: 1
姓名 | 价值 |
---|---|
|
服务帐号 |
|
服务帐户电子邮件地址:
|
|
我的谷歌帐户 |
|
Google Cloud 项目编号 |
|
GitHub 用户帐户或
|
|
工作负载身份池 |
|
Google 云项目 ID |
|
工作负载身份提供商 |
|
GitHub 仓库名称 |