添加 ObjectAcessControl 时托管服务帐户没有足够的权限答案

【问题标题】：Managed Service Account does not have enough permissions while adding ObjectAcessControl添加 ObjectAcessControl 时托管服务帐户没有足够的权限
【发布时间】：2019-11-27 12:20:51
【问题描述】：

尝试在部署管理器上添加对象控制访问：

- type: storage.v1.objectAccessControl
  name: url-access
  properties:
    role: READER
    bucket: "bucket"
    object: "object"
    entity: "email"

我收到了这个错误：

ERROR: (gcloud.deployment-manager.deployments.update) Error in Operation [operation-1574856490078-59852d9a9d256-4d665591-d57c3ea1]: errors:
- code: RESOURCE_ERROR
  location: /deployments/.../resources/user-access
  message: '{
    "ResourceType": "storage.v1.objectAccessControl",
    "ResourceErrorCode": "403",
    "ResourceErrorMessage": {
        "code": 403,
        "errors": [
            {
                "domain": "global",
                "message": "MANAGED_SA@cloudservices.gserviceaccount.com does not have storage.objects.get access to bucket/file.",
                "reason": "forbidden"
            }
        ],
        "message": "MANAGED_SA@cloudservices.gserviceaccount.com does not have storage.objects.get access to bucket/file.",
        "statusMessage": "Forbidden",
        "requestPath": "https://www.googleapis.com/storage/v1/b/bucket/o/file/acl",
        "httpMethod": "POST",
        "suggestion": "Consider granting permissions to MANAGED_SA@cloudservices.gserviceaccount.com"
    }
}'

奇怪的事实：MANAGED-SA 默认拥有项目的编辑权限。即使设置了所有者访问权限，我仍然收到此消息

【问题讨论】：

标签： google-cloud-platform google-deployment-manager

【解决方案1】：

只需为服务帐户 `MANAGED_SA@cloudservices.gserviceaccount.com 添加角色：“存储对象管理员”。浏览器不够用

【讨论】：

是的，只是权限问题