[英]Trying to Create a BigQuery Dataset Transfer config from Project A to Project B in GCP
I have a Service Account in Project A admin@proj1.iam.gserviceaccount.com
this is a Project Owner Throughout my organization, so we use this to create resources in different projects using our Automation.我在项目 A 中有一个服务帐户
admin@proj1.iam.gserviceaccount.com
这是整个组织的项目所有者,因此我们使用它来使用我们的自动化在不同项目中创建资源。
I am Trying to Create a Google Big query Data Transfer Config
via Terraform in Project B
using the Service account mentioned above from Project A
.我正在尝试使用上面提到的
Project A
中的服务帐户,通过Project B
中的 Terraform 创建Google Big query Data Transfer Config
。 And its giving me this error它给了我这个错误
Error creating Config: googleapi: Error 400: P4 service account needs iam.serviceAccounts.getAccessToken permission. Running the following command may resolve this error: gcloud iam service-accounts add-iam-policy-binding Admin@projectA.iam.gserviceaccount.com --member='serviceAccount:service-<Project_B_ID>@gcp-sa-bigquerydatatransfer.iam.gserviceaccount.com' --role='roles/iam.serviceAccountTokenCreator'
I tried running the above in ProjectB
where the data set would be created, and it gave me a error the admin@proj1.iam.gserviceaccount.com
does not exist.我尝试在将创建数据集的
ProjectB
中运行上述内容,它给了我一个错误admin@proj1.iam.gserviceaccount.com
不存在。 I have not tried it(not allowed to run CLI cmd )in ProjectA
plus everything is Managed via Terraform, is there a way around to resolve this without needing to run this manually.我没有在
ProjectA
中尝试过(不允许运行 CLI cmd),而且一切都通过 Terraform 进行管理,有没有办法解决这个问题而无需手动运行。
Or any other form to resolve this issue?或者任何其他形式来解决这个问题?
FYI: This is only about resource creation, the data set and its transfer are gonna be local to project B only仅供参考:这仅与资源创建有关,数据集及其传输将仅在项目 B 本地
You need to bind the user “admin@proj1.iam.gserviceaccount.com”
to project B and assign the role “roles/iam.serviceAccountTokenCreator”
.More information here .您需要将用户
“admin@proj1.iam.gserviceaccount.com”
绑定到项目B并分配角色“roles/iam.serviceAccountTokenCreator”
。更多信息在这里。
You can use this example code with terminal您可以将此示例代码与终端一起使用
gcloud iam service-accounts add-iam-policy-binding Admin@projectA.iam.gserviceaccount.com --member='serviceAccount:service-<Project_B_ID>@gcp-sa-bigquerydatatransfer.iam.gserviceaccount.com' --role='roles/iam.serviceAccountTokenCreator'
Or you can use the IAM console and assign this role roles/iam.serviceAccountTokenCreator to the user admin@proj1.iam.gserviceaccount.com
.或者,您可以使用 IAM 控制台并将此角色角色 roles/iam.serviceAccountTokenCreator分配给用户
admin@proj1.iam.gserviceaccount.com
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.