[英]Assigning IAM Policy to an existing Cloud Build Service Account in Google cloud using terraform fails
I am trying to assign a IAM policy document to an existing Cloud Build Service Account, but its failing for some reason.我正在尝试将 IAM 策略文档分配给现有的 Cloud Build 服务帐户,但由于某种原因失败了。 following is my iam policy以下是我的 iam 政策
data "google_iam_policy" "vulznotepolicy" {
binding {
role = "roles/containeranalysis.notes.occurrences.viewer"
members = [
"serviceaccount:<project_number>@cloudbuild.gserviceaccount.com"
]
}
}
following is policy assignment to Service account以下是服务帐户的策略分配
resource "google_service_account_iam_policy" "buildsa" {
service_account_id = "serviceaccount:<project_number>@cloudbuild.gserviceaccount.com"
policy_data = data.google_iam_policy.vulznotepolicy.policy_data
}
service account id doesn't accept the format that i have provided.服务帐户 ID 不接受我提供的格式。 I have given just the <project_number> still it doesn't accept.我只给出了 <project_number> 仍然不接受。 Not sure what the issue is不确定是什么问题
As suggested rightly by John, i added the roles to the service account using the following正如约翰正确建议的那样,我使用以下方法将角色添加到服务帐户
resource "google_project_iam_policy" "buildsa" {
project = var.project_id
policy_data = data.google_iam_policy.vulznotepolicy.policy_data
}
Although this works but can cause serious problems as follows.虽然这有效,但会导致如下严重问题。 Please proceed with caution请谨慎行事
Since this is an authoritative operation, it will lock you out of your account if the operations are not carefully managed.由于这是一项权威操作,如果管理不当,它会将您锁定在您的帐户之外。 This is from terraform "It's not recommended to use google_project_iam_policy with your provider project to avoid locking yourself out, and it should generally only be used with projects fully managed by Terraform. If you do use this resource, it is recommended to import the policy before applying the change."这来自 terraform “不建议将 google_project_iam_policy 与您的提供商项目一起使用,以避免将自己锁定在外,并且通常只应将其用于由 Terraform 完全管理的项目。如果您确实使用此资源,建议在之前导入策略应用更改。”
I can see that you're trying to give the Cloud Build Service account some IAM permissions using Terraform.我可以看到您正在尝试使用 Terraform 为 Cloud Build 服务帐户授予一些 IAM 权限。
I would start by reading this document about IAM Roles on Cloud Build [1], then you can check how the Cloud Build Service Account behaves [2], and then how to configure it [3].我首先阅读有关 Cloud Build 上的 IAM 角色的文档 [1],然后您可以检查 Cloud Build 服务帐户的行为方式 [2],然后是如何配置它 [3]。
Since you're using Terraform, I would also have a look here [4].由于您使用的是 Terraform,我也想看看这里 [4]。
These can help you understand why you're running into this issue, as pointed out in a comment.正如评论中所指出的,这些可以帮助您理解为什么会遇到此问题。
[1]https://cloud.google.com/cloud-build/docs/iam-roles-permissions [1]https://cloud.google.com/cloud-build/docs/iam-roles-permissions
[2] https://cloud.google.com/cloud-build/docs/cloud-build-service-account [2] https://cloud.google.com/cloud-build/docs/cloud-build-service-account
[3] https://cloud.google.com/cloud-build/docs/securing-builds/configure-access-for-cloud-build-service-account#before_you_begin [3] https://cloud.google.com/cloud-build/docs/securing-builds/configure-access-for-cloud-build-service-account#before_you_begin
[4] https://www.terraform.io/docs/providers/google/r/google_service_account_iam.html [4] https://www.terraform.io/docs/providers/google/r/google_service_account_iam.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.