在自动数据库备份中,数据库通过以下命令导出到 Google Bucket 中:
gcloud sql export sql "$INSTANCE" "gs://db-backup-temp-storage/${INSTANCE_PREFIX}_${DB}_dump.gz" --database="${DB}"
几天前,这个命令开始大部分时间(~80%)都会失败。失败后多次执行时,经过几次尝试后就可以正常工作。错误消息为:
$ gcloud --verbosity=debug sql export sql "$INSTANCE" "gs://db-backup-temp-storage/${INSTANCE_PREFIX}_${DB}_dump.gz" --database="${DB}"
DEBUG: Running [gcloud.sql.export.sql] with arguments: [--database: "['staging_tool_tool']", --verbosity: "debug", INSTANCE: "prd-pg", URI: "gs://db-backup-temp-storage/pg_staging_tool_tool_dump.gz"]
DEBUG: Starting new HTTPS connection (1): sqladmin.googleapis.com:443
DEBUG: https://sqladmin.googleapis.com:443 "POST /sql/v1beta4/projects/<PROJECT_NAME>/instances/prd-pg/export?alt=json HTTP/1.1" 403 None
DEBUG: (gcloud.sql.export.sql) HTTPError 403: The service account does not have the required permissions for the bucket. This command is authenticated as prod-rundeck-kubectl@<PROJECT_NAME>.iam.gserviceaccount.com which is the active account specified by the [core/account] property.
Traceback (most recent call last):
File "/usr/bin/../lib/google-cloud-sdk/lib/googlecloudsdk/calliope/cli.py", line 998, in Execute
resources = calliope_command.Run(cli=self, args=args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/bin/../lib/google-cloud-sdk/lib/googlecloudsdk/calliope/backend.py", line 842, in Run
resources = command_instance.Run(args)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/bin/../lib/google-cloud-sdk/lib/surface/sql/export/sql.py", line 75, in Run
return export_util.RunSqlExportCommand(args, client)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/bin/../lib/google-cloud-sdk/lib/googlecloudsdk/command_lib/sql/export_util.py", line 146, in RunSqlExportCommand
return RunExportCommand(args, client, sql_export_context)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/bin/../lib/google-cloud-sdk/lib/googlecloudsdk/command_lib/sql/export_util.py", line 91, in RunExportCommand
result_operation = sql_client.instances.Export(export_request)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/bin/../lib/google-cloud-sdk/lib/googlecloudsdk/generated_clients/apis/sqladmin/v1beta4/sqladmin_v1beta4_client.py", line 832, in Export
return self._RunMethod(
^^^^^^^^^^^^^^^^
File "/usr/bin/../lib/google-cloud-sdk/lib/third_party/apitools/base/py/base_api.py", line 747, in _RunMethod
return self.ProcessHttpResponse(method_config, http_response, request)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/bin/../lib/google-cloud-sdk/lib/third_party/apitools/base/py/base_api.py", line 753, in ProcessHttpResponse
self.__ProcessHttpResponse(method_config, http_response, request))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/bin/../lib/google-cloud-sdk/lib/third_party/apitools/base/py/base_api.py", line 612, in __ProcessHttpResponse
raise exceptions.HttpError.FromResponse(
apitools.base.py.exceptions.HttpForbiddenError: HttpError accessing <https://sqladmin.googleapis.com/sql/v1beta4/projects/<PROJECT_NAME>/instances/prd-pg/export?alt=json>: response: <{'vary': 'Origin, X-Origin, Referer', 'content-type': 'application/json; charset=UTF-8', 'content-encoding': 'gzip', 'date': 'Wed, 09 Oct 2024 14:16:56 GMT', 'server': 'ESF', 'cache-control': 'private', 'x-xss-protection': '0', 'x-frame-options': 'SAMEORIGIN', 'x-content-type-options': 'nosniff', 'alt-svc': 'h3=":443"; ma=2592000,h3-29=":443"; ma=2592000', 'transfer-encoding': 'chunked', 'status': 403}>, content <{
"error": {
"code": 403,
"message": "The service account does not have the required permissions for the bucket.",
"errors": [
{
"message": "The service account does not have the required permissions for the bucket.",
"domain": "global",
"reason": "notAuthorized"
}
]
}
}
>
ERROR: (gcloud.sql.export.sql) HTTPError 403: The service account does not have the required permissions for the bucket. This command is authenticated as prod-rundeck-kubectl@<PROJECT_NAME>.iam.gserviceaccount.com which is the active account specified by the [core/account] property.
在分析云控制台上的权限时(IAM 和管理 → 服务帐户 → prod-rundeck-kubectl@<PROJECT_NAME>.iam.gserviceaccount.com → 权限 → 查看访问 → 分析),服务帐户具有“存储对象管理”和“云 SQL 编辑器”权限,如。
奇怪的是,在重试该命令而不进行任何更改时,导出仍然有效,这看起来好像它实际上不是一个权限问题。
有人知道这是什么原因或者如何调试吗?
|