[英]My account has certain permissions on GCP console but not in Terraform/command line
On GCP console, I can successfully create a GCE VM and create a primary and an alias IP addresses for the VM in a subnet of a shared VPC.在 GCP 控制台上,我可以成功创建 GCE 虚拟机,并为共享 VPC 子网中的虚拟机创建主地址和别名 IP 地址。
But the strange thing is when I tried to repeat the process with Terraform, I got the following error:但奇怪的是,当我尝试使用 Terraform 重复该过程时,出现以下错误:
Error: Error creating Address: googleapi: Error 403: Required 'compute.addresses.createInternal' permission for 'projects/xxx/regions/us-central1/addresses/yyy', forbidden
I also got another permission error on 'compute.instances.setDeletionProtection' in a slightly different attempt.我在 'compute.instances.setDeletionProtection' 上也遇到了另一个权限错误,尝试略有不同。
Other information to share:其他要分享的信息:
resource "google_compute_address" "alias-ips" {
name = var.name
address_type = "INTERNAL"
purpose = "GCE_ENDPOINT"
region = var.region
subnetwork = "https://www.googleapis.com/compute/v1/projects/${var.subnet_project}/regions/${var.region}/subnetworks/${var.subnet}"
project = var.project
}
The next thing I'll try is to use gcloud
to create the same resource.接下来我将尝试使用
gcloud
创建相同的资源。 But I doubt it will generate any useful errors either.但我怀疑它也会产生任何有用的错误。
Update 1:更新1:
I tried gcloud
to create a VM.我尝试
gcloud
创建一个虚拟机。 I was able to create the VM, and its primary and alias IPs.我能够创建虚拟机及其主要和别名 IP。 But when I tried to set deletion protection (using
gcloud compute instances update XXX --deletion-protection
or use the option --deletion-protection
when creating a VM, I got the 403 error again. But what's perplexing is that I could create IPs. This could imply that I wrote my TF not the exactly correct way or the way TF handles alias IP creation is different from gcloud
.但是当我尝试设置删除保护(使用
gcloud compute instances update XXX --deletion-protection
或在创建 VM 时使用选项--deletion-protection
时,我再次收到 403 错误。但令人困惑的是我可以创建 IP . 这可能意味着我写的 TF 不是完全正确的方式,或者 TF 处理别名 IP 创建的方式与gcloud
不同。
Update 2:更新 2:
As per request, I set up GCP authN for TF by gcloud auth application-default login
.根据请求,我通过
gcloud auth application-default login
为 TF 设置了 GCP authN。 I have never touch GOOGLE_APPLICATION_CREDENTIALS
so it's empty.我从未接触过
GOOGLE_APPLICATION_CREDENTIALS
,所以它是空的。 I'm very sure I'm using the same account/identity.我很确定我使用的是相同的帐户/身份。 And I run Terraform in an environment where I have no issue running Terraform to do everything in other GCP projects I work with, where I have less constrained permissions.
我在运行 Terraform 的环境中运行 Terraform 以在我使用的其他 GCP 项目中执行所有操作都没有问题,在那里我的权限限制较少。
We eventually figured out that it was because the custom role our admin created for me lacked exactly those two permissions:我们最终发现这是因为我们的管理员为我创建的自定义角色缺少这两个权限:
After they added those two permissions for me, I was able to complete my job.在他们为我添加了这两个权限之后,我就可以完成我的工作了。 The two blocking issues for me were, respective to the two permissions, 1) can't create an IP address in a shared VPC/subnet;
对我来说,两个阻塞问题分别是两个权限,1)无法在共享 VPC/子网中创建 IP 地址; 2) can't turn on "Deletion Protection" for a VM.
2) 无法为虚拟机开启“删除保护”。
So there's nothing wrong with how GCP or Terraform checks permissions, nor with my authentication.因此,GCP 或 Terraform 检查权限的方式没有问题,我的身份验证也没有问题。 I thought it was a larger issue, but it turned out to be just that two permissions prevented me from creating the VM.
我认为这是一个更大的问题,但结果只是两个权限阻止了我创建 VM。
I could have compute instances admin role and/or compute network user role, so that I wouldn't run into this issue.我可以有计算实例管理员角色和/或计算网络用户角色,这样我就不会遇到这个问题。 The reason why our admin decided not to directly grant me (developers) those two roles is they contain too broad permissions.
我们的管理员决定不直接授予我(开发人员)这两个角色的原因是它们包含的权限太宽泛。
But I'm still suspicious about the contradicting behavior in GCP Console vs in Terraform/gcloud when creating alias IPs.但我仍然怀疑创建别名 IP 时 GCP Console 与 Terraform/gcloud 中的矛盾行为。 I guess it's that GCP Console uses some non-standard API that is different from the way Terraform/gcloud does the job.
我猜是 GCP Console 使用了一些非标准的 API,这与 Terraform/gcloud 的工作方式不同。 There might be a bug or some undocumented feature behind it.
它背后可能存在错误或某些未记录的功能。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.