服务账号授权教程

1.创建服务账号

https://cloud.google.com/iam/docs/service-accounts-create

2.创建密钥

https://cloud.google.com/iam/docs/keys-create-delete

3.IAM授权

https://cloud.google.com/iam/docs/roles-overview
如果使用cloudberry explorer管理google cloud storage,编辑账号权限选择最低viewer权限,不然browser是不够的会提示

The remote server returned an error: (403) Forbidden.
<?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied</Code><Message>Access denied.</Message><Details>trt-tpm@itrms-77dc.iam.gserviceaccount.com does not have storage.buckets.list access to the Google Cloud project. Permission 'storage.buckets.list' denied on resource (or it may not exist).</Details></Error>

如果更高的权限可选owner editer

4.存储桶权限设置

https://cloud.google.com/storage/docs/access-control/iam-roles
只读 Storage Object Viewer
只写 Storage Object Creator
授权以上权限,只能读取写入不能删除,也不能覆盖同名文件,因为覆盖等于删除旧文件
正常使用授权Storage Object User 即可

English Version

Google Cloud Storage Service Account Authorization Guide

1. Create a Service Account

Follow this guide to create a service account:
Create a Service Account

2. Create a Key

To create and manage keys for your service account, refer to this guide:
Create and Delete Keys

3. IAM Authorization

To assign IAM roles and permissions, check the overview here:
IAM Roles Overview

If you’re using CloudBerry Explorer to manage Google Cloud Storage, make sure to assign the Viewer role at a minimum. The Browser role is insufficient and will cause the following error:

The remote server returned an error: (403) Forbidden.
<?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied</Code><Message>Access denied.</Message><Details>trt-tpm@itrms-77dc.iam.gserviceaccount.com does not have storage.buckets.list access to the Google Cloud project. Permission 'storage.buckets.list' denied on resource (or it may not exist).</Details></Error>

For higher access levels, you can assign Owner or Editor roles.

4. Set Bucket Permissions

Check the Google Cloud Storage documentation on access control for setting bucket permissions.

• Read-only: Storage Object Viewer
• Write-only: Storage Object Creator (Can write new files but cannot delete or overwrite existing ones since overwriting involves deleting the old file)

For normal usage, you can assign the Storage Object User role.