时间戳

首页 > 解决方案 > Google 部署管理器 - 项目创建权限被拒绝

google-cloud-platform - Google 部署管理器 - 项目创建权限被拒绝

问题描述

运行部署管理器以创建部署时,我从 GCP 收到 403 PERMISSION_DENIED 响应,该部署创建一个项目、两个服务帐户并使用云资源管理器 API 为其设置 IAM 策略。

- code: RESOURCE_ERROR
  location: /deployments/test-deployment/resources/dm-test-project
  message: '{"ResourceType":"cloudresourcemanager.v1.project","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"The
    caller does not have permission","status":"PERMISSION_DENIED","statusMessage":"Forbidden","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/dm-test-project","httpMethod":"GET"}}'

之前,我创建了一个项目“DM Project Creation”,启用一些 API,为其分配计费帐户,然后创建一个服务帐户。我已经创建了一个组织节点,因此我在 org 节点中添加了创建的服务帐户并提供了以下 IAM 角色: - 项目创建者 - 计费帐户用户

我实际上是从谷歌云平台关注这个例子: https ://github.com/GoogleCloudPlatform/deploymentmanager-samples/tree/master/examples/v2/project_creation

https://github.com/GoogleCloudPlatform/deploymentmanager-samples/blob/master/community/cloud-foundation/templates/project/README.md

我运行以下命令以使用服务帐户进行身份验证:

gcloud auth activate-service-account dm-project-creation@dm-creation-project-0.iam.gserviceaccount.com --key-file=/Users/famedina/Downloads/dm-creation-project-0-f1f92dd070ce.json

然后通过配置文件运行部署管理器: gcloud deployment-manager deployments create test-deployment --config config.yaml

imports:
- path: project.py

resources:
  # The "name" property below will be the ID of the new project
  # If you want your project to have a different name, use the "project-name"
  # property.
  - name: dm-test-project
    type: project.py
    properties:
        # Change this to your organization ID.
        organization-id: "<MY_ORG_ID"
        # You can also create the project in a folder.
        # If both organization-id and parent-folder-id are provided,
        # the project will be created in parent-folder-id.
        #parent-folder-id: "FOLDER_ID"

        # Change the following to your organization's billing account
        billing-account-name: billingAccounts/<MY_BILLING_ACC_ID>

        # The apis to enable in the new project.
        # To see the possible APIs, use: gcloud services list --available
        apis:
          - compute.googleapis.com
          - deploymentmanager.googleapis.com
          - pubsub.googleapis.com
          - storage-component.googleapis.com
          - monitoring.googleapis.com
          - logging.googleapis.com

        # The service accounts you want to create in the project
        service-accounts:
          - my-service-account-1
          - my-service-account-2

        bucket-export-settings:
            create-bucket: true
            # If using an already existing bucket, specify this
            # bucket: <my bucket name>

        # Makes the service account that Deployment Manager would use in the
        # generated project when making deployments in this new project a
        # project owner.
        set-dm-service-account-as-owner: true

        # The patches to apply to the project's IAM policy. Note that these are
        # always applied as a patch to the project's current IAM policy, not as a
        # diff with the existing properties stored in DM. This means that removing
        # a binding from the 'add' section will not remove the binding on the
        # project during the next update. Instead it must be added to the 'remove'
        # section.
        iam-policy-patch:
            # These are the bindings to add.
            add:
              - role: roles/owner
                members:
                  # NOTE: The DM service account that is creating this project will
                  # automatically be added as an owner.
                  - serviceAccount:98765432100@cloudservices.gserviceaccount.com
              - role: roles/viewer
                members:
                  - user:iamtester@deployment-manager.net
            # The bindings to remove. Note that these are idempotent, in the sense
            # that any binding here that is not actually on the project is considered
            # to have been removed successfully.
            remove:
              - role: roles/owner
                members:
                  # This is already not on the project, but in case it shows up, let's
                  # remove it.
                  - serviceAccount:1234567890@cloudservices.gserviceaccount.com```

标签: google-cloud-platformgoogle-deployment-manager

解决方案

我也遇到了这个问题,错误消息实际上并没有解释潜在的问题。关键是这是一个 GET 操作,而不是创建项目的尝试。这是为了验证请求的项目 ID 的全局唯一性,如果不是唯一的,则抛出 PERMISSION_DENIED。

- code: RESOURCE_ERROR
  location: /deployments/test-deployment/resources/dm-test-project
  message: '{"ResourceType":"cloudresourcemanager.v1.project","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"The
    caller does not have permission","status":"PERMISSION_DENIED","statusMessage":"Forbidden","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/dm-test-project","httpMethod":"**GET**"}}'

对最终用户产生的错误有很大的改进空间。

推荐阅读