[英]GKE / Cloud IAM workload Identity setup error 403
We have setup a CloudSQL proxy as a sidecar container for one of our Java / Tomcat based app.我们已经为我们的一个基于 Java / Tomcat 的应用程序设置了一个 CloudSQL 代理作为 sidecar 容器。
Here's how we setup workload identity to enable our app to connect to CloudSQL through cloudsql proxy:以下是我们如何设置工作负载标识以让我们的应用程序能够通过 cloudsql 代理连接到 CloudSQL:
Created Cloud IAM Service Account and gave it SQL Client permission:创建 Cloud IAM 服务帐户并授予它 SQL 客户端权限:
Setup Policy Binding as follows:设置策略绑定如下:
gcloud iam service-accounts add-iam-policy-binding \\ --role roles/iam.workloadIdentityUser \\ --member "serviceAccount:[PROJECT_ID].svc.id.goog[default/default]" \\ [GSA_NAME]@[PROJECT_ID].iam.gserviceaccount.com
Added annotation to GKE Service Account:向 GKE 服务帐户添加了注释:
kubectl annotate serviceaccount \\ --namespace [K8S_NAMESPACE] \\ [KSA_NAME] \\ iam.gke.io/gcp-service-account=[GSA_NAME]@[PROJECT_ID].iam.gserviceaccount.com
But when we test this using:但是当我们使用以下方法测试时:
kubectl run --rm -it \\ --generator=run-pod/v1 \\ --image google/cloud-sdk:slim \\ --serviceaccount [KSA_NAME] \\ --namespace [K8S_NAMESPACE] \\ workload-identity-test
Despite doing everything correctly as explained on this page still results in:尽管按照此页面上的说明正确执行了所有操作,但仍会导致:
Error 403: The client is not authorized to make this request., notAuthorized
It turns out there is a glitch in Google Cloud IAM which seems to affect service accounts.事实证明,Google Cloud IAM 中存在一个似乎影响服务帐户的故障。
which should fix the issue.这应该解决问题。 Of course you'll have to redo step 2 and 3 again to complete the setup but it works.当然,您必须再次重做第 2 步和第 3 步才能完成设置,但它可以工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.