google-cloud-platform - 尽管服务帐户具有所有者角色,但 GCP 中的存储桶查询权限被拒绝
问题描述
我正在尝试通过 Terraform 制作 GCP VM。我在 Google 上创建了一个具有项目所有者角色的服务帐户。通过 Terraform,我正在尝试制作一个存储桶来存储 Terraform 的状态。凭证的 .json 位于 Gitlab 变量中。
问题是,尽管服务帐户具有所有者角色,但我收到 403 错误,指出我的服务帐户无权访问并且被禁止。
我尝试过的事情:
我为服务帐户赋予了不同的角色,包括项目编辑器、存储管理员和存储对象管理员。
我已将其删除并重新制作(并更新了 Gitlab 变量)。
我已经通过用户界面而不是 Terraform 在谷歌上制作了存储桶,以防这是问题,但没有改变任何东西。
Gitlab的yml:
image:
name: hashicorp/terraform:light
entrypoint:
- '/usr/bin/env'
- 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
before_script:
- rm -rf .terraform
- terraform --version
- mkdir -p ./creds
- echo $SERVICEACCOUNT | base64 -d > ./creds/serviceaccount.json
- terraform init
stages:
- validate
- plan
- apply
validate:
stage: validate
script:
- terraform validate
plan:
stage: plan
script:
- terraform plan -out "planfile"
dependencies:
- validate
artifacts:
paths:
- planfile
apply:
stage: apply
script:
- terraform apply -input=false "planfile"
dependencies:
- plan
when: manual
我的 main.tf:
provider "google" {
project = "project-id-name"
credentials = "./creds/serviceaccount.json"
region = "europe-west1"
}
# make bucket to store terraform state into
resource "google_storage_bucket" "terraform_state" {
name = "terraform-up-and-running-state"
region = "europe-west1"
}
# config terraform to store onto cloud in bucket above
terraform {
backend "gcs" {
bucket = "terraform-up-and-running-state"
credentials = "./creds/serviceaccount.json"
}
}
# rest
resource "google_compute_instance" "vm_instance" {
name = "my-test-vm"
machine_type = "f1-micro"
boot_disk {
initialize_params {
image = "debian-cloud/debian-9"
}
}
network_interface {
# A default network is created for all GCP projects
network = "${google_compute_network.vpc_network.self_link}"
access_config {
}
}
}
resource "google_compute_network" "vpc_network" {
name = "my-test-network"
auto_create_subnetworks = "true"
}
目标是仅通过 Terraform 初始化一个 Google VM 和我需要的一切。
这是 Gitlab 的验证阶段显示的内容:
Running with gitlab-runner 12.3.0 (a8a019e0)
on docker-auto-scale 72989761
Using Docker executor with image hashicorp/terraform:light ...
Pulling docker image hashicorp/terraform:light ...
Using docker image sha256:e42a20110eb49783e5f0e1594c67c8d45663fbf84303c395540b8dc94558d448 for hashicorp/terraform:light ...
Running on runner-72989761-project-14591382-concurrent-0 via runner-72989761-srm-1570020185-504ac9cf...
Fetching changes with git depth set to 50...
Initialized empty Git repository in /builds/my-project/playground-webscraper/.git/
Created fresh repository.
From https://gitlab.com/my-project/playground-webscraper
* [new branch] master -> origin/master
Checking out c183697f as master...
Skipping Git submodules setup
$ rm -rf .terraform
$ terraform --version
Terraform v0.12.9
$ mkdir -p ./creds
$ echo $SERVICEACCOUNT | base64 -d > ./creds/serviceaccount.json
$ terraform init
Initializing the backend...
Successfully configured the backend "gcs"! Terraform will automatically
use this backend unless the backend configuration changes.
Error: Failed to get existing workspaces: querying Cloud Storage failed: googleapi: Error 403: terraform@kims-playground-webscraper.iam.gserviceaccount.com does not have storage.objects.list access to terraform-up-and-running-state., forbidden
ERROR: Job failed: exit code 1
解决方案
Google Cloud Storage Bucket 命名空间是全球性的,并且terraform-up-and-running-state已被世界上某个地方的另一个存储桶使用,您正在尝试访问他们的存储桶并被拒绝。看起来网上有很多教程都引用了这个存储桶名称。确保您的存储桶名称是唯一的。
我猜这不是您的存储桶:http ://terraform-up-and-running-state.storage.googleapis.com/
看: