将已有的Firebase工程导入Terraform State收到403错误
[英]Import of existing Firebase Project into Terraform State receiving 403 error
问题描述
While migrating our existing infrastructure into an "Infrastructure as Code" Setup, we also needed to import an existing Firebase Project.
在将我们现有的基础架构迁移到“基础架构即代码”设置时,我们还需要导入现有的 Firebase 项目。
Following the instructions from the GCP beta Terraform provider .按照GCP beta Terraform 提供程序的说明进行操作。 The following snippet was added to the corresponding terraform module.以下代码片段已添加到相应的 terraform 模块中。
resource "google_firebase_project" "default" {
provider = google-beta
project = "my-project-id"
}
The Import of the existing Firebase project was initiated by running the command现有 Firebase 项目的导入是通过运行命令启动的
terraform import google_firebase_project.default my-project-id
This led to the following output:这导致以下 output:
google_firebase_project.default: Importing from ID "my-project-id"...
google_firebase_project.default: Import prepared!
Prepared google_firebase_project for import
google_firebase_project.default: Refreshing state... [id=projects/my-project-id]
Error: Error when reading or editing FirebaseProject "projects/my-project-id": googleapi: Error 403: Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the firebase.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/.
The error was obtained running Terraform with a Service Account or using a end user account to impersonate a service account.使用服务帐户运行 Terraform 或使用最终用户帐户模拟服务帐户时出现错误。 All identities had Owner permissions on the corresponding GCP project.所有身份都对相应的 GCP 项目具有所有者权限。
1 个解决方案
解决方案1
1 已采纳 2022-02-15 16:44:52
Your error message is not directly related to your usage of firebase terraform resources, but rather to the fact that you can not talk to the firebase APIs with a human user.您的错误消息与您对 firebase terraform 资源的使用没有直接关系,而是与您无法与人类用户对话 firebase API 的事实有关。 Instead you should create a service account, eg called terraform , give it the permissions needed to create firebase resources and give your user the permission to impersonate the service account.相反,您应该创建一个服务帐户,例如terraform ,为其提供创建 firebase 资源所需的权限,并为您的用户提供模拟服务帐户的权限。
Then you need to configure your GCP provider like so然后你需要像这样配置你的 GCP 提供者
provider "google" {
impersonate_service_account = "terraform@my-gcp-project.iam.gserviceaccount.com"
}
provider "google-beta" {
impersonate_service_account = "terraform@my-gcp-project.iam.gserviceaccount.com"
}
It can be advisable to create a single terraform service account in a shared project and use it to create all other resources through terraform. See also https://github.com/terraform-google-modules/terraform-google-bootstrap for this pattern.建议在共享项目中创建一个 terraform 服务帐户,并使用它通过 terraform 创建所有其他资源。另请参阅https://github.com/terraform-google-modules/terraform-google-bootstrap了解此模式.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.