Question

在自动数据库备份中，数据库通过以下命令导出到 Google Bucket 中：

gcloud sql export sql "$INSTANCE" "gs://db-backup-temp-storage/${INSTANCE_PREFIX}_${DB}_dump.gz" --database="${DB}"

几天前，这个命令开始大部分时间（~80%）都会失败。失败后多次执行时，经过几次尝试后就可以正常工作。错误消息为：

$ gcloud --verbosity=debug sql export sql "$INSTANCE" "gs://db-backup-temp-storage/${INSTANCE_PREFIX}_${DB}_dump.gz" --database="${DB}"
DEBUG: Running [gcloud.sql.export.sql] with arguments: [--database: "['staging_tool_tool']", --verbosity: "debug", INSTANCE: "prd-pg", URI: "gs://db-backup-temp-storage/pg_staging_tool_tool_dump.gz"]
DEBUG: Starting new HTTPS connection (1): sqladmin.googleapis.com:443
DEBUG: https://sqladmin.googleapis.com:443 "POST /sql/v1beta4/projects/<PROJECT_NAME>/instances/prd-pg/export?alt=json HTTP/1.1" 403 None
DEBUG: (gcloud.sql.export.sql) HTTPError 403: The service account does not have the required permissions for the bucket. This command is authenticated as prod-rundeck-kubectl@<PROJECT_NAME>.iam.gserviceaccount.com which is the active account specified by the [core/account] property.
Traceback (most recent call last):
  File "/usr/bin/../lib/google-cloud-sdk/lib/googlecloudsdk/calliope/cli.py", line 998, in Execute
    resources = calliope_command.Run(cli=self, args=args)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/bin/../lib/google-cloud-sdk/lib/googlecloudsdk/calliope/backend.py", line 842, in Run
    resources = command_instance.Run(args)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/bin/../lib/google-cloud-sdk/lib/surface/sql/export/sql.py", line 75, in Run
    return export_util.RunSqlExportCommand(args, client)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/bin/../lib/google-cloud-sdk/lib/googlecloudsdk/command_lib/sql/export_util.py", line 146, in RunSqlExportCommand
    return RunExportCommand(args, client, sql_export_context)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/bin/../lib/google-cloud-sdk/lib/googlecloudsdk/command_lib/sql/export_util.py", line 91, in RunExportCommand
    result_operation = sql_client.instances.Export(export_request)
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/bin/../lib/google-cloud-sdk/lib/googlecloudsdk/generated_clients/apis/sqladmin/v1beta4/sqladmin_v1beta4_client.py", line 832, in Export
    return self._RunMethod(
           ^^^^^^^^^^^^^^^^
  File "/usr/bin/../lib/google-cloud-sdk/lib/third_party/apitools/base/py/base_api.py", line 747, in _RunMethod
    return self.ProcessHttpResponse(method_config, http_response, request)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/bin/../lib/google-cloud-sdk/lib/third_party/apitools/base/py/base_api.py", line 753, in ProcessHttpResponse
    self.__ProcessHttpResponse(method_config, http_response, request))
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/bin/../lib/google-cloud-sdk/lib/third_party/apitools/base/py/base_api.py", line 612, in __ProcessHttpResponse
    raise exceptions.HttpError.FromResponse(
apitools.base.py.exceptions.HttpForbiddenError: HttpError accessing <https://sqladmin.googleapis.com/sql/v1beta4/projects/<PROJECT_NAME>/instances/prd-pg/export?alt=json>: response: <{'vary': 'Origin, X-Origin, Referer', 'content-type': 'application/json; charset=UTF-8', 'content-encoding': 'gzip', 'date': 'Wed, 09 Oct 2024 14:16:56 GMT', 'server': 'ESF', 'cache-control': 'private', 'x-xss-protection': '0', 'x-frame-options': 'SAMEORIGIN', 'x-content-type-options': 'nosniff', 'alt-svc': 'h3=":443"; ma=2592000,h3-29=":443"; ma=2592000', 'transfer-encoding': 'chunked', 'status': 403}>, content <{
  "error": {
    "code": 403,
    "message": "The service account does not have the required permissions for the bucket.",
    "errors": [
      {
        "message": "The service account does not have the required permissions for the bucket.",
        "domain": "global",
        "reason": "notAuthorized"
      }
    ]
  }
}
>
ERROR: (gcloud.sql.export.sql) HTTPError 403: The service account does not have the required permissions for the bucket. This command is authenticated as prod-rundeck-kubectl@<PROJECT_NAME>.iam.gserviceaccount.com which is the active account specified by the [core/account] property.

在分析云控制台上的权限时（IAM 和管理 → 服务帐户 → prod-rundeck-kubectl@<PROJECT_NAME>.iam.gserviceaccount.com → 权限 → 查看访问 → 分析），服务帐户具有“存储对象管理”和“云 SQL 编辑器”权限，如。

奇怪的是，在重试该命令而不进行任何更改时，导出仍然有效，这看起来好像它实际上不是一个权限问题。

有人知道这是什么原因或者如何调试吗？