[英]Google AppEngine Getting 403 forbidden trying to update cron.yaml
I am following the docs on how to backup datastore using AppEngine. 我正在关注有关如何使用AppEngine 备份数据存储区的文档 。 I am performing a
gcloud app deploy cron.yaml
command on a GCE VM that is meant to update a cronjob in AppEngine. 我正在GCE VM上执行
gcloud app deploy cron.yaml
命令,该命令旨在更新AppEngine中的cronjob。 the GCE VM and AppEngine cron are in the same project, and I have granted AppEngine admin to the GCE VM via a default Service Account. GCE VM和AppEngine cron位于同一项目中,并且我已通过默认服务帐户将AppEngine管理员授予GCE VM。 When I run this on my local machine, it updates fine.
当我在本地计算机上运行它时,它会更新正常。 However on the GCE instance, thats where issues arise
但是在GCE实例中,这就是问题所在
Here are the files 这是文件
runtime: python27
api_version: 1
threadsafe: true
service: cloud-datastore-admin
libraries:
- name: webapp2
version: "latest"
handlers:
- url: /cloud-datastore-export
script: cloud_datastore_admin.app
login: admin
cron:
- description: "Daily Cloud Datastore Export"
url: /cloud-datastore-export?namespace_id=&output_url_prefix=gs://<my-project-id>-bucket
target: cloud-datastore-admin
schedule: every 24 hours
import datetime
import httplib
import json
import logging
import webapp2
from google.appengine.api import app_identity
from google.appengine.api import urlfetch
class Export(webapp2.RequestHandler):
def get(self):
access_token, _ = app_identity.get_access_token(
'https://www.googleapis.com/auth/datastore')
app_id = app_identity.get_application_id()
timestamp = datetime.datetime.now().strftime('%Y%m%d-%H%M%S')
output_url_prefix = self.request.get('output_url_prefix')
assert output_url_prefix and output_url_prefix.startswith('gs://')
if '/' not in output_url_prefix[5:]:
# Only a bucket name has been provided - no prefix or trailing slash
output_url_prefix += '/' + timestamp
else:
output_url_prefix += timestamp
entity_filter = {
'kinds': self.request.get_all('kind'),
'namespace_ids': self.request.get_all('namespace_id')
}
request = {
'project_id': app_id,
'output_url_prefix': output_url_prefix,
'entity_filter': entity_filter
}
headers = {
'Content-Type': 'application/json',
'Authorization': 'Bearer ' + access_token
}
url = 'https://datastore.googleapis.com/v1/projects/%s:export' % app_id
try:
result = urlfetch.fetch(
url=url,
payload=json.dumps(request),
method=urlfetch.POST,
deadline=60,
headers=headers)
if result.status_code == httplib.OK:
logging.info(result.content)
elif result.status_code >= 500:
logging.error(result.content)
else:
logging.warning(result.content)
self.response.status_int = result.status_code
except urlfetch.Error:
logging.exception('Failed to initiate export.')
self.response.status_int = httplib.INTERNAL_SERVER_ERROR
app = webapp2.WSGIApplication(
[
('/cloud-datastore-export', Export),
], debug=True)
The Error I'm getting is 我得到的错误是
Configurations to update:
descriptor: [/usr/local/sbin/pluto/<my-project-id>/datastore/cron.yaml]
type: [cron jobs]
target project: [<my-project-id>]
Do you want to continue (Y/n)?
Updating config [cron]...
failed.
ERROR: (gcloud.app.deploy) Server responded with code [403]:
Forbidden Unexpected HTTP status 403.
You do not have permission to modify this app (app_id=u'e~<my-project-id>').
I have checked other posts related to this, however they seem to deal with an old version/deployment of appengine 我检查了与此相关的其他帖子,但是它们似乎处理的是旧版本/ appengine的部署
From Deploying using IAM roles : 从使用IAM角色进行部署 :
To grant a user account the ability to deploy to App Engine:
要授予用户帐户部署到App Engine的能力,请执行以下操作:
Click Add member to add the user account to the project and then select all of the roles for that account by using the dropdown menu:
单击添加成员以将用户帐户添加到项目中,然后使用下拉菜单选择该帐户的所有角色:
Required roles to allow an account to deploy to App Engine:
允许帐户部署到App Engine的必需角色:
a.
一种。 Set the one of the following roles:
设置以下角色之一:
- Use the App Engine > App Engine Deployer role to allow the account to deploy a version of an app.
使用“ App Engine”>“ App Engine Deployer”角色可以允许该帐户部署应用程序的版本。
- To also allow the
dos.yaml
ordispatch.yaml
files to be deployed with an app, use the App Engine > App Engine Admin role instead.要同时允许将
dos.yaml
或dispatch.yaml
文件与应用程序一起部署,请改用App Engine> App Engine管理员角色。The user account now has adequate permission to use the Admin API to deploy apps .
现在,该用户帐户具有使用Admin API部署应用程序的足够权限。
b.
湾 To allow use of App Engine tooling to deploy apps, you must also give the user account the Storage > Storage Admin role so that the tooling has permission to upload to Cloud Storage .
要允许使用App Engine 工具部署应用程序,您还必须为用户帐户提供Storage> Storage Admin角色,以便该工具有权上传到Cloud Storage 。
Optional .
可选的 。 Give the user account the following roles to grant permission for uploading additional configuration files:
为用户帐户授予以下角色,以授予上传其他配置文件的权限:
- Cloud Scheduler > Cloud Scheduler Admin role: Permissions for uploading
cron.yaml
files.Cloud Scheduler> Cloud Scheduler管理员角色:上传
cron.yaml
文件的权限。
Potentially of interest: 潜在的兴趣:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.