google-cloud-platform - Google 部署管理器 - 项目创建权限被拒绝
问题描述
运行部署管理器以创建部署时,我从 GCP 收到 403 PERMISSION_DENIED 响应,该部署创建一个项目、两个服务帐户并使用云资源管理器 API 为其设置 IAM 策略。
- code: RESOURCE_ERROR
location: /deployments/test-deployment/resources/dm-test-project
message: '{"ResourceType":"cloudresourcemanager.v1.project","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"The
caller does not have permission","status":"PERMISSION_DENIED","statusMessage":"Forbidden","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/dm-test-project","httpMethod":"GET"}}'
之前,我创建了一个项目“DM Project Creation”,启用一些 API,为其分配计费帐户,然后创建一个服务帐户。我已经创建了一个组织节点,因此我在 org 节点中添加了创建的服务帐户并提供了以下 IAM 角色: - 项目创建者 - 计费帐户用户
我实际上是从谷歌云平台关注这个例子: https ://github.com/GoogleCloudPlatform/deploymentmanager-samples/tree/master/examples/v2/project_creation
我运行以下命令以使用服务帐户进行身份验证:
gcloud auth activate-service-account dm-project-creation@dm-creation-project-0.iam.gserviceaccount.com --key-file=/Users/famedina/Downloads/dm-creation-project-0-f1f92dd070ce.json
然后通过配置文件运行部署管理器:
gcloud deployment-manager deployments create test-deployment --config config.yaml
imports:
- path: project.py
resources:
# The "name" property below will be the ID of the new project
# If you want your project to have a different name, use the "project-name"
# property.
- name: dm-test-project
type: project.py
properties:
# Change this to your organization ID.
organization-id: "<MY_ORG_ID"
# You can also create the project in a folder.
# If both organization-id and parent-folder-id are provided,
# the project will be created in parent-folder-id.
#parent-folder-id: "FOLDER_ID"
# Change the following to your organization's billing account
billing-account-name: billingAccounts/<MY_BILLING_ACC_ID>
# The apis to enable in the new project.
# To see the possible APIs, use: gcloud services list --available
apis:
- compute.googleapis.com
- deploymentmanager.googleapis.com
- pubsub.googleapis.com
- storage-component.googleapis.com
- monitoring.googleapis.com
- logging.googleapis.com
# The service accounts you want to create in the project
service-accounts:
- my-service-account-1
- my-service-account-2
bucket-export-settings:
create-bucket: true
# If using an already existing bucket, specify this
# bucket: <my bucket name>
# Makes the service account that Deployment Manager would use in the
# generated project when making deployments in this new project a
# project owner.
set-dm-service-account-as-owner: true
# The patches to apply to the project's IAM policy. Note that these are
# always applied as a patch to the project's current IAM policy, not as a
# diff with the existing properties stored in DM. This means that removing
# a binding from the 'add' section will not remove the binding on the
# project during the next update. Instead it must be added to the 'remove'
# section.
iam-policy-patch:
# These are the bindings to add.
add:
- role: roles/owner
members:
# NOTE: The DM service account that is creating this project will
# automatically be added as an owner.
- serviceAccount:98765432100@cloudservices.gserviceaccount.com
- role: roles/viewer
members:
- user:iamtester@deployment-manager.net
# The bindings to remove. Note that these are idempotent, in the sense
# that any binding here that is not actually on the project is considered
# to have been removed successfully.
remove:
- role: roles/owner
members:
# This is already not on the project, but in case it shows up, let's
# remove it.
- serviceAccount:1234567890@cloudservices.gserviceaccount.com```
解决方案
我也遇到了这个问题,错误消息实际上并没有解释潜在的问题。关键是这是一个 GET 操作,而不是创建项目的尝试。这是为了验证请求的项目 ID 的全局唯一性,如果不是唯一的,则抛出 PERMISSION_DENIED。
- code: RESOURCE_ERROR
location: /deployments/test-deployment/resources/dm-test-project
message: '{"ResourceType":"cloudresourcemanager.v1.project","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"The
caller does not have permission","status":"PERMISSION_DENIED","statusMessage":"Forbidden","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/dm-test-project","httpMethod":"**GET**"}}'
对最终用户产生的错误有很大的改进空间。
推荐阅读
- android - GooglePlayServices 的 api isUserResolvableError 在不是可解决错误时也返回 true?
- c++ - “WCHAR **”类型的参数与“const wchar_t *”类型的参数不兼容
- c++ - 使用 CDT 插件在 Eclipse 中构建 C/C++ 应用程序
- angular - 有条件地防止值在 mat-select 中改变
- javascript - 等待反应路由器history.goBack
- kubernetes - Digital Ocean Kubernetes Let's Encrypt 等待 HTTP-01 挑战传播:未能执行自检
- swift - 如何让谷歌地图标记激活触摸拖动而不是长触摸
- python - 问题:TypeError:“float”对象不可下标
- ios - CocoaPods 找不到 pod“React-perflogger”的兼容版本
- firebase - 如何跳过 Firestore Firebase 中 onSnapshot 侦听器的初始数据?