[英]Deploying to Cloud Run with a custom service account failed with iam.serviceaccounts.actAs error
I have created a custom service account travisci-deployer@PROJECT_ID.iam.gserviceaccount.com
on my project and gave it the Cloud Run Admin role:我在我的项目上创建了一个自定义服务帐户travisci-deployer@PROJECT_ID.iam.gserviceaccount.com
并赋予它Cloud Run Admin角色:
gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
--member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
--role="roles/run.admin"
Then I set this service account as the identity for my gcloud commands:然后我将此服务帐户设置为我的 gcloud 命令的身份:
gcloud auth activate-service-account --key-file=google-key.json
But when I ran gcloud beta run deploy
command, I got an error about the "Compute Engine default service account" not having iam.serviceAccounts.actAs
permission:但是当我运行gcloud beta run deploy
命令时,我收到一个关于“Compute Engine 默认服务帐户”没有iam.serviceAccounts.actAs
权限的错误:
gcloud beta run deploy -q "${SERVICE_NAME}" \
--image="${CONTAINER_IMAGE}" \
--allow-unauthenticated
Deploying container to Cloud Run service [$APP_NAME] in project [$PROJECT_ID] region [us-central1]
Deploying...
Deployment failed
ERROR: (gcloud.beta.run.deploy) PERMISSION_DENIED: Permission 'iam.serviceaccounts.actAs'
denied on service account 1075231960084-compute@developer.gserviceaccount.com
This seems weird to me (because I'm not using the GCE default service account identity, although it's used by Cloud Run app once the app is deployed).这对我来说似乎很奇怪(因为我没有使用 GCE 默认服务帐户身份,尽管 Cloud Run 应用在部署应用后会使用它)。
So the 1075231960084-compute@developer.gserviceaccount.com
account is being used for the API call, and not my travisci-deployer@PROJECT_ID.iam.gserviceacount
service account configured on gcloud
?所以1075231960084-compute@developer.gserviceaccount.com
帐户被用于 API 调用,而不是我在gcloud
上配置的travisci-deployer@PROJECT_ID.iam.gserviceacount
服务帐户?
How can I address this?我该如何解决这个问题?
TLDR: Add Cloud Run Admin and Service Account User roles to your service account . TLDR:将Cloud Run Admin和Service Account User角色添加到您的服务帐户。
If we read the docs in detail for the IAM Reference page for Cloud Run which is found here , we find the following text:如果我们在此处详细阅读 Cloud Run 的 IAM 参考页面的文档,我们会发现以下文本:
A user needs the following permissions to deploy new Cloud Run services or revisions:用户需要以下权限才能部署新的 Cloud Run 服务或修订:
run.services.create
andrun.services.update
on the project level.run.services.create
和run.services.update
在项目级别。 Typically assigned through theroles/run.admin
role.通常通过roles/run.admin
角色分配。 It can be changed in the project permissions admin page.它可以在项目权限管理页面中更改。iam.serviceAccounts.actAs
for the Cloud Run runtime service account.iam.serviceAccounts.actAs
用于 Cloud Run 运行时服务帐号。 By default, this isPROJECT_NUMBER-compute@developer.gserviceaccount.com
.默认情况下,这是PROJECT_NUMBER-compute@developer.gserviceaccount.com
。 The permission is typically assigned through theroles/iam.serviceAccountUser
role.通常通过roles/iam.serviceAccountUser
角色分配权限。
I think these extra steps explain the story as you see it.我认为这些额外的步骤解释了你看到的故事。
Adding Cloud Run Admin and Service Account User roles to my own service account fixed this for me.将Cloud Run Admin和Service Account User角色添加到我自己的服务帐户为我解决了这个问题。 See step 2 in the docs here: https://cloud.google.com/run/docs/continuous-deployment#continuous请参阅此处文档中的第 2 步: https : //cloud.google.com/run/docs/continuous-deployment#continuous
Though you can resolve this particular error by granting the account permission to act as the Compute Engine default service account, it goes against the "best practices" advice :虽然您可以通过授予帐户作为 Compute Engine 默认服务帐户的权限来解决此特定错误,但这与 “最佳实践”建议背道而驰:
By default, Cloud Run services run as the default Compute Engine service account.默认情况下,Cloud Run 服务作为默认的 Compute Engine 服务帐号运行。 However, Google recommends using a user-managed service account with the most minimal set of permissions.但是,Google 建议使用具有最少权限的用户管理的服务帐户。 Learn how to deploy Cloud Run services with user-managed service accounts in the Cloud Run service identity documentation.在 Cloud Run 服务身份文档中了解如何使用用户管理的服务帐号部署 Cloud Run 服务。
You can indicate which service account identity the Cloud Run deployment will assume like so:您可以指定 Cloud Run 部署将采用的服务帐号身份,如下所示:
gcloud run deploy -q "${SERVICE_NAME}" \
--image="${CONTAINER_IMAGE}" \
--allow-unauthenticated \
--service-account "${SERVICE_ACCOUNT_EMAIL}"
Currently, in beta, all Cloud Run services run as the default compute account (The same as the Google Compute Engine default service account).目前,在测试版中,所有 Cloud Run 服务都作为默认计算帐户运行(与 Google Compute Engine 默认服务帐户相同)。
The ability to run services as a different service account will be available in a future release.将在未来版本中提供作为不同服务帐户运行服务的功能。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.