堆栈内存溢出
  简体   繁体   English

Terraform 抛出为服务帐户设置 IAM 策略时出错...需要权限 iam.serviceAccounts.setIamPolicy

[英]Terraform throws Error setting IAM policy for service account ... Permission iam.serviceAccounts.setIamPolicy is required

 原文  2020-09-28 18:23:53       google-cloud-platform/ terraform/ devops/ terraform-provider-gcp/ google-cloud-iam

问题描述

I am trying to create a very simple structure on GCP using Terraform: a compute instance + storage bucket.我正在尝试使用 Terraform 在 GCP 上创建一个非常简单的结构:计算实例 + 存储桶。 I did some research across GCP documentation, Terraform documentation, SO questions as well and still can't understand what's the trick here.我对 GCP 文档、Terraform 文档以及 SO 问题进行了一些研究,但仍然无法理解这里的诀窍。 There is one suggestion to use google_project_iam_binding , but reading thruogh some articles it seems to be dangerous (read: insecure solution).有一个使用google_project_iam_binding建议,但阅读一些文章似乎很危险(阅读:不安全的解决方案)。 There's also a general answer with only GCP descriptions, nit using tf terms here , which is still a bit confusing.还有一个只有 GCP 描述的一般答案,nit using tf terms here ,这仍然有点令人困惑。 And also concluding the similar question here , I confirm that the domain name ownership was verified via Google Console.并且在这里总结类似的问题,我确认域名所有权已通过 Google 控制台验证。

So, I ended up with the following:所以,我最终得到以下结果:

data "google_iam_policy" "admin" {
  binding {
    role = "roles/iam.serviceAccountUser"
    members = [
      "user:myemail@domain.name",
      "serviceAccount:${google_service_account.serviceaccount.email}",
    ]
  }
}
resource "google_service_account" "serviceaccount" {
  account_id   = "sa-1"
}
resource "google_service_account_iam_policy" "admin-acc-iam" {
  service_account_id = google_service_account.serviceaccount.name
  policy_data        = data.google_iam_policy.admin.policy_data
}
resource "google_storage_bucket_iam_policy" "policy" {
  bucket      = google_storage_bucket.storage_bucket.name
  policy_data = data.google_iam_policy.admin.policy_data
}
resource "google_compute_network" "vpc_network" {
  name                    = "vpc-network"
  auto_create_subnetworks = "true"
}
resource "google_compute_instance" "instance_1" {
  name         = "instance-1"
  machine_type = "f1-micro"
  boot_disk {
    initialize_params {
      image = "cos-cloud/cos-stable"
    }
  }
  network_interface {
    network = google_compute_network.vpc_network.self_link
    access_config {
    }
  }
}
resource "google_storage_bucket" "storage_bucket" {
  name          = "bucket-1"
  location      = "US"
  force_destroy = true
  website {
    main_page_suffix = "index.html"
    not_found_page   = "404.html"
  }
  cors {
    origin          = ["http://the.domain.name"]
    method          = ["GET", "HEAD", "PUT", "POST", "DELETE"]
    response_header = ["*"]
    max_age_seconds = 3600
  }
}

but if I terraform apply , logs show me an error like that但如果我terraform apply ,日志会显示这样的错误

Error: Error setting IAM policy for service account 'trololo': googleapi: Error 403: Permission iam.serviceAccounts.setIamPolicy is required to perform this operation on service account trololo., forbidden
2020/09/28 19:19:34 [TRACE] statemgr.Filesystem: removing lock metadata file .terraform.tfstate.lock.info
  on main.tf line 35, in resource "google_service_account_iam_policy" "admin-acc-iam":
  35: resource "google_service_account_iam_policy" "admin-acc-iam" {
2020/09/28 19:19:34 [TRACE] statemgr.Filesystem: unlocking terraform.tfstate using fcntl flock
Error: googleapi: Error 403: The bucket you tried to create is a domain name owned by another user., forbidden
  on main.tf line 82, in resource "google_storage_bucket" "storage_bucket":

and some useless debug info.和一些无用的调试信息。 What's wrong?怎么了? What account is missing what permissions and how to assign them securely?哪个帐户缺少哪些权限以及如何安全地分配它们?

1 个解决方案

解决方案1
 1 已采纳  2020-10-01 16:27:35

I found the problem.我发现了问题。 As always, in 90% of cases, the issue is sitting in front of the computer.与往常一样,在 90% 的情况下,问题都出在计算机前面。

Here are the steps that helped me to understand and to resolve the problem:以下是帮助我理解和解决问题的步骤:

  1. I read few more articles and especially this and this answer were very helpful to understand relations between users, service accounts, permissions我阅读了更多文章,尤其是这个这个答案对于理解用户、服务帐户、权限之间的关系非常有帮助
  2. I understood that doing terraform destroy is also very important since there is no rollback of unsuccessful deploy of a new infrastructure changes (like with DB migrations for example) - thus you have to clean up either with destroy or manually我知道执行terraform destroy也非常重要,因为没有回滚新基础设施更改的不成功部署(例如数据库迁移) - 因此您必须使用销毁或手动清理
  3. completely removed the "user:${var.admin_email}" user account IAM policy since it useless;完全删除了"user:${var.admin_email}"用户帐户 IAM 策略,因为它没用; everything has to be managed by the newly created service account一切都必须由新创建的服务帐户管理
  4. left the main service account with most permissions untouched (the one which was created manually and downloaded the access key) since Terraform used it's credentials由于 Terraform 使用了它的凭据,因此保留了大多数权限的主服务帐户(手动创建并下载了访问密钥的那个)
  5. and changed the IAM policy for the new service account as roles/iam.serviceAccountAdmin instead of a User - thanks @Wojtek_B for the hint并将新服务帐户的 IAM 策略更改为roles/iam.serviceAccountAdmin而不是User - 感谢 @Wojtek_B 的提示

After this everything works smooth!在此之后一切顺利!

解决方案2
 0  2022-01-30 19:46:06

I had the same error as yours.我和你有同样的错误。

So I added the role "Service Account Admin" to my service account then the error was solved:所以我将角色“服务帐户管理员”添加到我的服务帐户,然后错误就解决了:

在此处输入图像描述

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 (Terraform,GCP)错误 403:需要权限 iam.serviceAccounts.setIamPolicy 才能对服务帐户项目/myproject-17 执行此操作 - (Terraform, GCP) Error 403: Permission iam.serviceAccounts.setIamPolicy is required to perform this operation on service account projects/myproject-17 (GCP,Terraform)创建服务帐户时出错:googleapi:错误 403:需要权限 iam.serviceAccounts.create 才能执行此操作 - (GCP, Terraform) Error creating service account: googleapi: Error 403: Permission iam.serviceAccounts.create is required to perform this operation on 需要 iam.serviceAccounts.getIamPolicy 才能对服务帐户执行此操作 - iam.serviceAccounts.getIamPolicy is required to perform this operation on service account 在云运行上部署时,服务帐户的权限“iam.serviceaccounts.actAs”被拒绝 - Permission 'iam.serviceaccounts.actAs' denied on service account when deploying on cloud run 使用 Deployment Manager 进行 BQ 计划查询:“P4 服务帐户需要 iam.serviceAccounts.getAccessToken 权限” - BQ Schedule Queries with Deployment Manager: “P4 service account needs iam.serviceAccounts.getAccessToken permission” GCP:使用 Terraform 从服务帐户中删除 IAM 策略 - GCP: Remove IAM policy from Service Account using Terraform 使用自定义服务帐号部署到 Cloud Run 失败并出现 iam.serviceaccounts.actAs 错误 - Deploying to Cloud Run with a custom service account failed with iam.serviceaccounts.actAs error 在 GCP 中对 Artifact Registry 设置 IAM 政策时出现权限错误 - Permission error when setting IAM policy on Artifact Registry in GCP 无法分配 iam.serviceAccounts.signBlob 权限 - Unable to assign iam.serviceAccounts.signBlob permission Terraform GCP 将 IAM 角色分配给服务帐户 - Terraform GCP Assign IAM roles to service account
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM