google-app-engine - 无法使用 Github 操作部署到 Google App Engine - 未提供凭据
问题描述
尝试使用 GitHub 操作将我的应用从 Github 部署到 Google App Engine 时,我不断收到相同的错误。
我试过同时使用deploy-appengine操作,以及单独使用setup-gcloud,两者都给我提供了同样的错误。
这是动作 yaml:
# This is the CI action for the repo. The build must succeed and all tests must pass before any pull requests can be made.
name: Deploy
on:
pull_request:
types: closed
branches:
- develop
- master
workflow_dispatch:
jobs:
deploy:
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [12.x]
steps:
- uses: actions/checkout@v2
- name: Cache node modules
uses: actions/cache@v1
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: Node ${{ matrix.node-version }}
uses: actions/setup-node@v1
with:
node-version: ${{ matrix.node-version }}
- name: Install dependencies
run: npm install
- name: Configure environments
run: npm run configure:ci
- name: Build
run: npm run build:ci
env:
API_URL: ${{ secrets.API_URL }}
FIREBASE_API_KEY: ${{ secrets.FIREBASE_API_KEY }}
FIREBASE_AUTH_DOMAIN: ${{ secrets.FIREBASE_AUTH_DOMAIN }}
FIREBASE_DATABASE_URL: ${{ secrets.FIREBASE_DATABASE_URL }}
PROJECT_ID: ${{ secrets.PROJECT_ID }}
STORAGE_BUCKET: ${{ secrets.STORAGE_BUCKET }}
FIREBASE_SENDER_ID: ${{ secrets.FIREBASE_SENDER_ID }}
FIREBASE_APP_ID: ${{ secrets.FIREBASE_APP_ID }}
FIREBASE_MEASUREMENT_ID: ${{ secrets.FIREBASE_MEASUREMENT_ID }}
ANGULAR_FIRE_EMAIL: ${{ secrets.ANGULAR_FIRE_EMAIL }}
ANGULAR_FIRE_PASSWORD: ${{ secrets.ANGULAR_FIRE_PASSWORD }}
- name: Configure app.yaml
run: npm run app-config:ci
- id: Deploy
uses: google-github-actions/deploy-appengine@main
with:
credentials: ${{ secrets.GCP_SA_KEY }}
deliverables: dist/app.yaml
promote: true
这是我的凭证文件的样子,它只是普通的 JSON,而不是 BASE64,它由 secrets.GCP_SA_KEY 秘密存储,并带有一个用于开发的分支规则,这就是我要执行此操作的地方:
{
"type": "service_account",
"project_id": "REDACTED",
"private_key_id": "REDACTED",
"private_key": "-----BEGIN PRIVATE pm57A==\n-----END PRIVATE KEY-----\n",
"client_email": "REDACTED@REDACTED.iam.gserviceaccount.com",
"client_id": "REDACTED",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/REDACTED.iam.gserviceaccount.com"
}
我已授予服务帐户适当的权限:
App Engine Admin
Cloud Build Editor
Compute Storage Admin
Service Account User
每次我尝试运行该操作时,我都会得到以下输出:
Run google-github-actions/deploy-appengine@main
/usr/bin/tar --version
tar (GNU tar) 1.30
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Written by John Gilmore and Jay Fenlason.
/usr/bin/tar xz --warning=no-unknown-keyword -C /home/runner/work/_temp/14543984-d6e2-47c0-a6eb-a2a41a371468 -f /home/runner/work/_temp/8a247beb-4bc1-4157-b43f-f27c0f71ba36
/opt/hostedtoolcache/gcloud/333.0.0/x64/bin/gcloud config get-value project
(unset)
Error: No project Id provided.
/opt/hostedtoolcache/gcloud/333.0.0/x64/bin/gcloud auth list
No credentialed accounts.
To login, run:
$ gcloud auth login `ACCOUNT`
/opt/hostedtoolcache/gcloud/333.0.0/x64/bin/gcloud app deploy --quiet dist/app.yaml --promote
ERROR: (gcloud.app.deploy) You do not currently have an active account selected.
Please run:
$ gcloud auth login
to obtain new credentials.
If you have already logged in with a different account:
$ gcloud config set account ACCOUNT
to select an already authenticated account to use.
Error: The process '/opt/hostedtoolcache/gcloud/333.0.0/x64/bin/gcloud' failed with exit code 1
当我同时提供 project_id 和 SA 密钥时,也会发生同样的事情。根据我不需要做任何登录的文档,我可以只传递我的服务帐户凭据,其余的应该自己处理。我在哪里错了?
解决方案
所以这个问题的答案是我在环境级别设置了秘密。
我目前有 2 个环境:开发和主环境。我将这些秘密设置在那个级别。
当我在存储库级别创建两个新机密时,这解决了问题。
它确实在文档中提到了存储库机密,但它可能更清楚地表明这不适用于环境级别的机密。
尽管有权限,但我确实收到了进一步的错误。我会设置计算存储管理员,但这项工作需要云存储管理员。
推荐阅读
- python - 如何从矩阵中为某些可变参数获得一致的特征向量?
- c# - Response.Headers.Remove("Server") 在 global.Asax 中不起作用。请参阅“此操作需要 IIS 集成管道模式”问题
- javascript - 如何在表单上的javascript中添加验证,以便在最后一行为空时不附加表单(在所有字段之前不应创建另一行)
- javascript - 捆绑一个 npm 包并将其转换为 es 模块
- sql - 在excel中结合更新查询和提交
- github - 在 github-repo 的 README.md 中引用学术参考的简单方法
- postgresql - 检查大表中是否存在许多 FK 值的最快方法是什么?
- javascript - Vue2 js 滚动调用函数
- laravel - 存储带前导 0 的整数(如果设置)
- javascript - x-for 在带有变量引用的 Alpine.js 中不起作用