使用“--set-sql-instance”参数部署到云运行时,云构建权限被拒绝
[英]Cloud build permission denied when deploy to cloud run with “--set-sql-instance” argument
问题描述
I'm trying to configure cloud build triggers which build maven springboot project and then deploy to cloud runs.
我正在尝试配置构建maven springboot项目然后部署到云运行的云构建触发器。 I run into a problem where it works when i don't specify the cloud sql instance to be connected with, but when I add "--set-cloudsql-instances", "${_DATABASE_CONNECTION_NAME}" as one of the args, it throws error on cloud build as follows:当我没有指定要连接的云 sql 实例时,我遇到了一个问题,但是当我添加"--set-cloudsql-instances", "${_DATABASE_CONNECTION_NAME}"作为参数之一时,它在云构建上引发错误,如下所示:
Step #1: ERROR: (gcloud.beta.run.deploy) PERMISSION_DENIED: The caller does not have permission
Finished Step #1
ERROR
ERROR: build step 1 "gcr.io/cloud-builders/gcloud" failed: exit status 1
Following is my cloudbuild.yml以下是我的cloudbuild.yml
steps:
- name: 'gcr.io/kaniko-project/executor:latest'
args:
- --destination=gcr.io/$PROJECT_ID/${_IMAGE_NAME}
- --cache=true
- name: 'gcr.io/cloud-builders/gcloud'
args: [
"beta", "run",
"deploy", "${_SERVICE_NAME}-${_PROFILE}",
"--image", "gcr.io/${PROJECT_ID}/${_IMAGE_NAME}",
"--region", "${_REGION}",
"--platform", "managed",
"--set-cloudsql-instances", "${_DATABASE_CONNECTION_NAME}",
"--allow-unauthenticated",
"--set-env-vars", "SPRING_PROFILES_ACTIVE=${_SPRING_PROFILE},DATABASE_CONNECTION_NAME=${_DATABASE_CONNECTION_NAME},DATABASE_NAME=${_DATABASE_NAME},DATABASE_USERNAME=${_DATABASE_USERNAME},DATABASE_PASSWORD=${_DATABASE_PASSWORD},MINIO_ACCESS_KEY=${_MINIO_ACCESS_KEY},MINIO_SECRET_KEY=${_MINIO_SECRET_KEY},MINIO_HOSTNAME=${_MINIO_HOSTNAME},MINIO_PORT=${_MINIO_PORT}"
]
images:
- gcr.io/${PROJECT_ID}/${_IMAGE_NAME}
and I already set roles/permission for service account as follow:我已经为服务帐户设置了角色/权限,如下所示:
-
{PROJECT_ID}-compute@developer.gserviceaccount.com: Editor, Cloud Sql Client <-- Default SA{PROJECT_ID}-compute@developer.gserviceaccount.com:编辑,云 Sql 客户端 <-- 默认 SA -
<Cloud run service agent>: Cloud Run Service Agent, Cloud SQL Client<Cloud run service agent>:云运行服务代理,云SQL客户端 <Cloud Build SA>: Cloud Build SA, Cloud Run Admin<Cloud Build SA>:Cloud Build SA、Cloud Run 管理员
My Cloud Run service also use default service account as its SA My Cloud Run 服务还使用默认服务帐户作为其 SA
2 个解决方案
解决方案1
5 已采纳 2019-11-17 04:28:11
Make sure you've also given the Cloud Build Service Account the iam.serviceAccountUser role, allowing it to impersonate the Cloud Run runtime service account during the build.确保您还为 Cloud Build 服务帐号提供了iam.serviceAccountUser角色,允许它在构建期间模拟 Cloud Run 运行时服务帐号。
gcloud iam service-accounts add-iam-policy-binding
PROJECT_NUMBER-compute@developer.gserviceaccount.com
--member="serviceAccount:PROJECT_NUMBER@cloudbuild.gserviceaccount.com"
--role="roles/iam.serviceAccountUser"
See Cloud Run deployment permissions for more info.有关详细信息,请参阅Cloud Run 部署权限。
解决方案2
0 2020-02-15 15:27:42
I am using a service account to deploy a cloud run function with sql connections.我正在使用服务帐户部署具有 sql 连接的云运行 function。 I found that the service account needs the following permissions:我发现服务帐号需要以下权限:
- serviceusage.quotas.get serviceusage.quotas.get
- serviceusage.services.get serviceusage.services.get
- serviceusage.services.list serviceusage.services.list
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.