[英]Terraform throws Error setting IAM policy for service account ... Permission iam.serviceAccounts.setIamPolicy is required
I am trying to create a very simple structure on GCP using Terraform: a compute instance + storage bucket.我正在尝试使用 Terraform 在 GCP 上创建一个非常简单的结构:计算实例 + 存储桶。 I did some research across GCP documentation, Terraform documentation, SO questions as well and still can't understand what's the trick here.
我对 GCP 文档、Terraform 文档以及 SO 问题进行了一些研究,但仍然无法理解这里的诀窍。 There is one suggestion to use
google_project_iam_binding
, but reading thruogh some articles it seems to be dangerous (read: insecure solution).有一个使用
google_project_iam_binding
的建议,但阅读一些文章似乎很危险(阅读:不安全的解决方案)。 There's also a general answer with only GCP descriptions, nit using tf terms here , which is still a bit confusing.还有一个只有 GCP 描述的一般答案,nit using tf terms here ,这仍然有点令人困惑。 And also concluding the similar question here , I confirm that the domain name ownership was verified via Google Console.
并且在这里总结类似的问题,我确认域名所有权已通过 Google 控制台验证。
So, I ended up with the following:所以,我最终得到以下结果:
data "google_iam_policy" "admin" {
binding {
role = "roles/iam.serviceAccountUser"
members = [
"user:myemail@domain.name",
"serviceAccount:${google_service_account.serviceaccount.email}",
]
}
}
resource "google_service_account" "serviceaccount" {
account_id = "sa-1"
}
resource "google_service_account_iam_policy" "admin-acc-iam" {
service_account_id = google_service_account.serviceaccount.name
policy_data = data.google_iam_policy.admin.policy_data
}
resource "google_storage_bucket_iam_policy" "policy" {
bucket = google_storage_bucket.storage_bucket.name
policy_data = data.google_iam_policy.admin.policy_data
}
resource "google_compute_network" "vpc_network" {
name = "vpc-network"
auto_create_subnetworks = "true"
}
resource "google_compute_instance" "instance_1" {
name = "instance-1"
machine_type = "f1-micro"
boot_disk {
initialize_params {
image = "cos-cloud/cos-stable"
}
}
network_interface {
network = google_compute_network.vpc_network.self_link
access_config {
}
}
}
resource "google_storage_bucket" "storage_bucket" {
name = "bucket-1"
location = "US"
force_destroy = true
website {
main_page_suffix = "index.html"
not_found_page = "404.html"
}
cors {
origin = ["http://the.domain.name"]
method = ["GET", "HEAD", "PUT", "POST", "DELETE"]
response_header = ["*"]
max_age_seconds = 3600
}
}
but if I terraform apply
, logs show me an error like that但如果我
terraform apply
,日志会显示这样的错误
Error: Error setting IAM policy for service account 'trololo': googleapi: Error 403: Permission iam.serviceAccounts.setIamPolicy is required to perform this operation on service account trololo., forbidden
2020/09/28 19:19:34 [TRACE] statemgr.Filesystem: removing lock metadata file .terraform.tfstate.lock.info
on main.tf line 35, in resource "google_service_account_iam_policy" "admin-acc-iam":
35: resource "google_service_account_iam_policy" "admin-acc-iam" {
2020/09/28 19:19:34 [TRACE] statemgr.Filesystem: unlocking terraform.tfstate using fcntl flock
Error: googleapi: Error 403: The bucket you tried to create is a domain name owned by another user., forbidden
on main.tf line 82, in resource "google_storage_bucket" "storage_bucket":
and some useless debug info.和一些无用的调试信息。 What's wrong?
怎么了? What account is missing what permissions and how to assign them securely?
哪个帐户缺少哪些权限以及如何安全地分配它们?
I found the problem.我发现了问题。 As always, in 90% of cases, the issue is sitting in front of the computer.
与往常一样,在 90% 的情况下,问题都出在计算机前面。
Here are the steps that helped me to understand and to resolve the problem:以下是帮助我理解和解决问题的步骤:
terraform destroy
is also very important since there is no rollback of unsuccessful deploy of a new infrastructure changes (like with DB migrations for example) - thus you have to clean up either with destroy or manuallyterraform destroy
也非常重要,因为没有回滚新基础设施更改的不成功部署(例如数据库迁移) - 因此您必须使用销毁或手动清理"user:${var.admin_email}"
user account IAM policy since it useless;"user:${var.admin_email}"
用户帐户 IAM 策略,因为它没用; everything has to be managed by the newly created service accountroles/iam.serviceAccountAdmin
instead of a User
- thanks @Wojtek_B for the hintroles/iam.serviceAccountAdmin
而不是User
- 感谢 @Wojtek_B 的提示After this everything works smooth!在此之后一切顺利!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.