无法从 GitHub Actions 工作流程访问 Google Cloud Storage 存储桶

问题描述 投票:0回答:1

我有 Django 测试用例 test_retrieve_bucket 来测试对 GCP 存储桶的访问。

from django.test import SimpleTestCase, TestCase
from google.cloud import storage

class DemoTest(TestCase):
def setUp(self):
    self.expense = Expense.objects.create(
        invoice_number = "ABC",
        account_number = "123",
        customer_name = "XYZ",
        invoice_amount = 12.50,
        invoice_date = datetime.now()
    )
def test1(self):
    return self.expense.invoice_number == "ABC"
def test2(self):
    return self.expense.account_number == "123"
def test3(self):
    return self.expense.customer_name == "XYZ"

def test_retrieve_bucket(self):
    bucket = "test_bucket_8866"
    client = storage.Client()
    bucket = client.bucket(bucket)
    return self.assertTrue(bucket.exists())

但是,测试失败,这是我收到的错误:

google.api_core.exceptions.Forbidden:403 GET https://storage.googleapis.com/storage/v1/b/test_bucket_8866?fields=name&prettyPrint=false[电子邮件受保护] 没有 storage.buckets。访问 Google Cloud Storage 存储桶。资源上的权限“storage.buckets.get”被拒绝(或者它可能不存在)。

我在上一步中成功使用工作负载身份联合验证了服务帐户: enter image description here

我使用的服务帐户还具有存储对象管理权限,这应该使我能够访问存储桶: enter image description here

这是我的工作流程文件:

name: Django CI

on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]

jobs:
  build:

    runs-on: ubuntu-latest
    strategy:
      max-parallel: 4
      matrix:
        python-version: [3.12.4]

    steps:
    - uses: actions/checkout@v4
    - name: auth
      uses: google-github-actions/[email protected]
      with:
        workload_identity_provider: 'projects/334572487877/locations/global/workloadIdentityPools/learn-github-actions-pool/providers/github-cdci'
        service_account: '[email protected]'
    - name: Set up Python ${{ matrix.python-version }}
      uses: actions/setup-python@v3
      with:
        python-version: ${{ matrix.python-version }}
    - name: Install Dependencies
      run: |
        pip install pipenv && pipenv install --system
    - name: Run Tests
      run: |
        python manage.py test
permissions:
  contents: 'read'
  id-token: 'write'

当我使用上面的服务帐户在本地运行 Django 测试时,所有测试都通过了。我还有什么遗漏的吗?

编辑:

这是我用来将角色 WorkloadIdentityUser 添加到工作负载身份池的命令:

gcloud iam service-accounts add-iam-policy-binding "[email protected]" \
        --project="tbi-finance" \
        --role="roles/iam.workloadIdentityUser" \
        --member="principalSet://iam.googleapis.com/projects/334572487877/locations/global/workloadIdentityPools/learn-github-actions-pool/attribute.repository/duybtr/django_cdci"
python django google-cloud-platform google-cloud-storage github-actions
1个回答
0
投票

我能够复制你的解决方案,但是......天哪!

为了简单起见,我将列举我创建的各种资源,希望您能够推断出让您工作的差异。

根据此评论我鼓励您添加:

  1. checkout
    之后和
    auth
    2. 之前的 GitHub OIDC 调试器 
  2. token_format: access_token
    (如果还没有)
steps:
- name: checkout
  uses: actions/checkout@v4
- name: oidc-debugger
  uses: github/actions-oidc-debugger@main
  with:
    audience: https://iam.googleapis.com/{PROVIDER}
- name: auth
  uses: google-github-actions/auth@v2
  with:
    workload_identity_provider: {PROVIDER}
    service_account: {EMAIL}
    create_credentials_file: true
    token_format: access_token

警惕转移注意力的事情。我收到的错误与您不同,但这是配置错误的结果,而不是因为 Google 项目的 IAM 不正确:

错误:google-github-actions/auth 失败:无法为 ${EMAIL} 生成 Google Cloud OAuth 2.0 访问令牌:

{
  "error": {
    "code": 403,
    "message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "IAM_PERMISSION_DENIED",
        "domain": "iam.googleapis.com",
        "metadata": {
          "permission": "iam.serviceAccounts.getAccessToken"
        }
      }
    ]
  }
}
泳池
gcloud iam workload-identity-pools describe ${POOL} \
  --project="${PROJECT}" \
  --location="global"

displayName: GitHub Actions Pool
name: projects/{NUMBER}/locations/global/workloadIdentityPools/{POOL}
state: ACTIVE
提供商
gcloud iam workload-identity-pools providers describe ${PROVIDER} \
--project=${PROJECT} \
--location="global" \
--workload-identity-pool=${POOL}

attributeCondition: assertion.repository_owner=="{OWNER}" && assertion.repository=="{OWNER}/{REPO}"
attributeMapping:
  attribute.actor: assertion.actor
  attribute.repository: assertion.repository
  attribute.repository_owner: assertion.repository_owner
  google.subject: assertion.sub
displayName: {PROVIDER}
name: projects/{NUMBER}/locations/global/workloadIdentityPools/{POOL}/providers/{PROVIDER}
oidc:
  issuerUri: https://token.actions.githubusercontent.com
state: ACTIVE
IAM 项目
gcloud projects get-iam-policy ${PROJECT}

bindings:
- members:
  - serviceAccount:{EMAIL}
  role: roles/iam.serviceAccountTokenCreator
- members:
  - user:{ME}
  role: roles/owner
- members:
  - serviceAccount:{EMAIL}
  role: roles/storage.admin
etag: [REDACTED]
version: 1

注意 根据我的评论,该项目的政策没有 

roles/iam.workloadIdentityUser
;该角色存在于服务帐户的策略中

服务账户 IAM
gcloud iam service-accounts get-iam-policy ${EMAIL}

bindings:
- members:
  - principalSet://iam.googleapis.com/projects/{NUMBER}/locations/global/workloadIdentityPools/{POOL}/attribute.repository/{OWNER}/{REPO}
  role: roles/iam.workloadIdentityUser
etag: [REDACTED]
version: 1
变量
姓名 价值 
ACCOUNT
 服务帐号 
EMAIL
 服务帐户电子邮件地址:
${ACCOUNT}@${PROJECT}.iam.gserviceaccount.com
 
ME
 我的谷歌帐户 
NUMBER
 Google Cloud 项目编号 
OWNER
 GitHub 用户帐户或 
${ORG}
 
POOL
 工作负载身份池 
PROJECT
 Google 云项目 ID 
PROVIDER
 工作负载身份提供商 
REPO
 GitHub 仓库名称
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.