堆栈内存溢出
  简体   繁体   English

使用 terraform 将 IAM 策略分配给 Google 云中的现有 Cloud Build 服务帐户失败

[英]Assigning IAM Policy to an existing Cloud Build Service Account in Google cloud using terraform fails

 原文  2020-09-01 05:39:30       google-cloud-platform/ terraform-provider-gcp

问题描述

I am trying to assign a IAM policy document to an existing Cloud Build Service Account, but its failing for some reason.我正在尝试将 IAM 策略文档分配给现有的 Cloud Build 服务帐户,但由于某种原因失败了。 following is my iam policy以下是我的 iam 政策

data "google_iam_policy" "vulznotepolicy" {
binding {
  role = "roles/containeranalysis.notes.occurrences.viewer"

  members = [
  "serviceaccount:<project_number>@cloudbuild.gserviceaccount.com"
  ]
 }
}

following is policy assignment to Service account以下是服务帐户的策略分配

resource "google_service_account_iam_policy" "buildsa" {
service_account_id = "serviceaccount:<project_number>@cloudbuild.gserviceaccount.com"
policy_data        = data.google_iam_policy.vulznotepolicy.policy_data
}

service account id doesn't accept the format that i have provided.服务帐户 ID 不接受我提供的格式。 I have given just the <project_number> still it doesn't accept.我只给出了 <project_number> 仍然不接受。 Not sure what the issue is不确定是什么问题

2 个解决方案

解决方案1
 1  2020-09-02 01:20:59

As suggested rightly by John, i added the roles to the service account using the following正如约翰正确建议的那样,我使用以下方法将角色添加到服务帐户

resource "google_project_iam_policy" "buildsa" {
project = var.project_id
policy_data        = data.google_iam_policy.vulznotepolicy.policy_data
}

Although this works but can cause serious problems as follows.虽然这有效,但会导致如下严重问题。 Please proceed with caution请谨慎行事

Since this is an authoritative operation, it will lock you out of your account if the operations are not carefully managed.由于这是一项权威操作,如果管理不当,它会将您锁定在您的帐户之外。 This is from terraform "It's not recommended to use google_project_iam_policy with your provider project to avoid locking yourself out, and it should generally only be used with projects fully managed by Terraform. If you do use this resource, it is recommended to import the policy before applying the change."这来自 terraform “不建议将 google_project_iam_policy 与您的提供商项目一起使用,以避免将自己锁定在外,并且通常只应将其用于由 Terraform 完全管理的项目。如果您确实使用此资源,建议在之前导入策略应用更改。”

解决方案2
 -2  2020-09-01 15:26:08

I can see that you're trying to give the Cloud Build Service account some IAM permissions using Terraform.我可以看到您正在尝试使用 Terraform 为 Cloud Build 服务帐户授予一些 IAM 权限。

I would start by reading this document about IAM Roles on Cloud Build [1], then you can check how the Cloud Build Service Account behaves [2], and then how to configure it [3].我首先阅读有关 Cloud Build 上的 IAM 角色的文档 [1],然后您可以检查 Cloud Build 服务帐户的行为方式 [2],然后是如何配置它 [3]。

Since you're using Terraform, I would also have a look here [4].由于您使用的是 Terraform,我也想看看这里 [4]。

These can help you understand why you're running into this issue, as pointed out in a comment.正如评论中所指出的,这些可以帮助您理解为什么会遇到此问题。

[1]https://cloud.google.com/cloud-build/docs/iam-roles-permissions [1]https://cloud.google.com/cloud-build/docs/iam-roles-permissions

[2] https://cloud.google.com/cloud-build/docs/cloud-build-service-account [2] https://cloud.google.com/cloud-build/docs/cloud-build-service-account

[3] https://cloud.google.com/cloud-build/docs/securing-builds/configure-access-for-cloud-build-service-account#before_you_begin [3] https://cloud.google.com/cloud-build/docs/securing-builds/configure-access-for-cloud-build-service-account#before_you_begin

[4] https://www.terraform.io/docs/providers/google/r/google_service_account_iam.html [4] https://www.terraform.io/docs/providers/google/r/google_service_account_iam.html

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何使用 Terraform 在不同项目中为 Google Cloud 中的其他项目服务帐户添加 IAM 角色 - How can I add IAM role for other project service account in Google Cloud in different project using Terraform GCP:使用 Terraform 从服务帐户中删除 IAM 策略 - GCP: Remove IAM policy from Service Account using Terraform Google Cloud CloudSQL 实例无法使用 Terraform 提供程序创建,并出现错误“未找到每产品每项目服务帐户” - Google Cloud CloudSQL Instance Fails To Create using Terraform Provider With Error "Per-Product Per-Project Service Account is not found" 如何通过 terraform 使用服务帐户创建谷歌云 pubsub 拉取订阅? - How to create a google cloud pubsub pull subscriptions with service account by terraform? Terraform 抛出为服务帐户设置 IAM 策略时出错...需要权限 iam.serviceAccounts.setIamPolicy - Terraform throws Error setting IAM policy for service account ... Permission iam.serviceAccounts.setIamPolicy is required 如何使用 Cloud Function 服务帐户在 Cloud Function 中创建签名的 Google Cloud Storage URL? - How to create signed Google Cloud Storage URLs in Cloud Function using Cloud Function service account? 用于云构建的跨项目服务帐户模拟 - Cross project service account impersonation for cloud build 开始使用 Google Cloud Kubernetes 集群后,Cloud Build 无法部署 Cloud Run - Cloud Build fails to deploy Cloud Run after started using Google Cloud Kubernetes Cluster 如何使用 Python 中的服务帐户向 Google Cloud 进行身份验证? - How to Auth to Google Cloud using Service Account in Python? 作为浏览器上的服务帐户向谷歌云进行身份验证 - Authenticate to google cloud as a service account on browser
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM