如何使用云构建在谷歌云上使用云 sql 部署云运行？

Question

My cloudbuild.yaml file (I have built a docker image and pushed it to gcr)我的 cloudbuild.yaml 文件（我已经构建了一个 docker 映像并将其推送到 gcr）

This application using mysql on Cloud SQL.此应用程序在云 SQL 上使用 mysql。 So needs to connect to it.所以需要连接它。

steps:
  - id: cloud-run
    name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
    entrypoint: gcloud
    args:
      - 'run'
      - 'deploy'
      - 'my-service'
      - '--image'
      - 'asia.gcr.io/$_PROJECT_ID/my-service:$_COMMIT_SHA'
      - '--region'
      - 'asia-northeast1'
      - '--platform'
      - 'managed'
      - '--service-account'
      - '$_CLOUD_RUN_PUBSUB_INVOKER'
      - '--add-cloudsql-instances'
      - '$_MYSQL_MAIN_INSTANCE_NAME'
      - '--set-env-vars'
      - 'MYSQL_MAIN_CONNECTIONS=$_MYSQL_MAIN_CONNECTIONS'
      - '--set-env-vars'
      - 'MYSQL_MAIN_INSTANCE_NAME=$_MYSQL_MAIN_INSTANCE_NAME'
      - '--set-env-vars'
      - 'MYSQL_MAIN_DB=$_MYSQL_MAIN_DB'
      - '--set-env-vars'
      - 'MYSQL_MAIN_USER=$_MYSQL_MAIN_USER'
      - '--set-env-vars'
      - 'MYSQL_MAIN_PASSWORD_SECRET_ID=$_MYSQL_MAIN_PASSWORD_SECRET_ID'
      - '--set-env-vars'

When ran build to submit, got Cloud SQL API not activated error当运行构建提交时，得到云 SQL API 未激活错误

$ gcloud builds submit
Creating temporary tarball archive of 5 file(s) totalling 47.4 KiB before compression.
Uploading tarball of [.] to [gs://my-project_cloudbuild/source/1610067564.911628-8d7f3de581ca4b8faa57bd5a8ea75ef1.tgz]
Created [https://cloudbuild.googleapis.com/v1/projects/my-project/locations/global/builds/b4e1bf9c-bc06-4ce8-b252-3b34f164719d].
Logs are available at [https://console.cloud.google.com/cloud-build/builds/b4e1bf9c-bc06-4ce8-b252-3b34f164719d?project=421686839359].
---------------------------------------------------------------------------------------------- REMOTE BUILD OUTPUT -----------------------------------------------------------------------------------------------
starting build "b4e1bf9c-bc06-4ce8-b252-3b34f164719d"

FETCHSOURCE
Fetching storage object: gs://my-project_cloudbuild/source/1610067564.911628-8d7f3de581ca4b8faa57bd5a8ea75ef1.tgz#1610067566084932
Copying gs://my-project_cloudbuild/source/1610067564.911628-8d7f3de581ca4b8faa57bd5a8ea75ef1.tgz#1610067566084932...
/ [1 files][ 17.1 KiB/ 17.1 KiB]
Operation completed over 1 objects/17.1 KiB.
BUILD
Pulling image: gcr.io/google.com/cloudsdktool/cloud-sdk
Using default tag: latest
latest: Pulling from google.com/cloudsdktool/cloud-sdk
6c33745f49b4: Already exists
...
ffa0764d79dc: Pull complete
Digest: sha256:3f32cb39cdfe8902bc85e31111a9f1bc7cbd9d37f31c6164f2b41cfdaa66284f
Status: Downloaded newer image for gcr.io/google.com/cloudsdktool/cloud-sdk:latest
gcr.io/google.com/cloudsdktool/cloud-sdk:latest
Skipped validating Cloud SQL API and Cloud SQL Admin API enablement due to an issue contacting the Service Usage  API. Please ensure the Cloud SQL API and Cloud SQL Admin API are activated (see https://console.cloud.google.com/apis/dashboard).
ERROR: (gcloud.run.deploy) PERMISSION_DENIED: The caller does not have permission
ERROR
ERROR: build step 0 "gcr.io/google.com/cloudsdktool/cloud-sdk" failed: step exited with non-zero status: 1
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ERROR: (gcloud.builds.submit) build b4e1bf9c-bc06-4ce8-b252-3b34f164719d completed with status "FAILURE"

I have checked dashboard https://console.cloud.google.com/apis/dashboard , both Cloud SQL API and Cloud SQL Admin API are activated. I have checked dashboard https://console.cloud.google.com/apis/dashboard , both Cloud SQL API and Cloud SQL Admin API are activated.

I also ran permission setting by https://cloud.google.com/cloud-build/docs/deploying-builds/deploy-cloud-run#continuous-iam我还运行了https://cloud.google.com/cloud-build/docs/deploying-builds/deploy-cloud-run#continuous-iam的权限设置

gcloud iam service-accounts add-iam-policy-binding \
  PROJECT_NUMBER-compute@developer.gserviceaccount.com \
  --member="serviceAccount:PROJECT_NUMBER@cloudbuild.gserviceaccount.com" \
  --role="roles/iam.serviceAccountUser"

But still the same error.但仍然是同样的错误。

Answer 1

It seems the error is about the IAM permission.似乎错误与 IAM 权限有关。

PERMISSION_DENIED: The caller does not have permission PERMISSION_DENIED：调用者没有权限

You also need to follow the Required IAM permission steps in this document :您还需要遵循本文档中所需的 IAM 权限步骤：

To deploy to Cloud Run (fully managed) grant the Cloud Run Admin and Service Account User roles to the Cloud Build service account:要部署到 Cloud Run（完全托管），请将 Cloud Run 管理员和服务帐户用户角色授予 Cloud Build 服务帐户：

In the Cloud Console, go to the Cloud Build Settings page:在 Cloud Console 中，go 到 Cloud Build Settings 页面：

Open the Settings page打开设置页面

In the Service account permissions panel, set the status of the Cloud Run Admin role to ENABLED:在服务帐号权限面板中，将 Cloud Run 管理员角色的状态设置为启用：

In the Additional steps may be required pop-up, you click Skip or click GRANT ACCESS TO ALL SERVICE ACCOUNTS.在“可能需要附加步骤”弹出窗口中，单击“跳过”或单击“授予对所有服务帐户的访问权限”。

如何使用云构建在谷歌云上使用云 sql 部署云运行？

问题描述

1 个解决方案

解决方案1
2 已采纳 2021-01-08 05:39:18

如何使用云构建在谷歌云上使用云 sql 部署云运行？

问题描述

1 个解决方案

解决方案1 2 已采纳 2021-01-08 05:39:18

解决方案1
2 已采纳 2021-01-08 05:39:18