[英]Unable to run GCP terraform commands from GitHub Actions
I have setup keyless authentication for my Github Actions pipeline using Workload Identity Federation by following the official tutorial我按照官方教程使用 Workload Identity Federation 为我的 Github Actions 管道设置了无密钥身份验证
When running a terraform init command from my pipeline I get the following error:从我的管道运行 terraform init 命令时,出现以下错误:
│ Error: Failed to get existing workspaces: querying Cloud Storage failed: Get "https://storage.googleapis.com/storage/v1/b/lws-dev-common-bucket/o?alt=json&delimiter=%2F&pageToken=&prefix=global%2Fnetworking.state%2F&prettyPrint=false&projection=full&versions=false": oauth2/google: status code 403: {
│ "error": {
│ "code": 403,
│ "message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
│ "status": "PERMISSION_DENIED",
│ "details": [
│ {
│ "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│ "reason": "IAM_PERMISSION_DENIED",
│ "domain": "iam.googleapis.com",
│ "metadata": {
│ "permission": "iam.serviceAccounts.getAccessToken"
│ }
│ }
│ ]
│ }
│ }
I have ensured that the service account that I am using has proper permissions including:我已确保我使用的服务帐户具有适当的权限,包括:
Below is a snippet of my pipeline code:下面是我的管道代码片段:
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v0.4.0'
with:
workload_identity_provider: 'projects/385050593732/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
service_account: 'lws-d-iac-sa@lefewaresolutions-poc.iam.gserviceaccount.com'
- name: Terraform Init
working-directory: ./Terraform/QuickStartDeployments/EKSCluster
run: terraform init
and my terraform code:和我的 terraform 代码:
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "3.89.0"
}
}
backend "gcs" {
bucket = "lws-dev-common-bucket"
prefix = "global/networking.state"
}
required_version = ">= 0.14.9"
}
provider "google" {
project = var.project_id
region = var.region
}
module "vpc" {
source = "../../Modules/VPC"
project_id = var.project_id
region = "us-west1"
vpc_name = var.vpc_name
}
I ran into the same issue and was able to fix it by granting the service account Service Account Token Creator
role in the project IAM page manually我遇到了同样的问题,并且能够通过在项目 IAM 页面中手动授予服务帐户Service Account Token Creator
角色来解决它
This can also happen if your service account doesn't have permission to access the storage bucket where your terraform state file is stored, or if your service account doesn't have the Workload Identity User
role set properly.如果您的服务账户无权访问存储 terraform state 文件的存储桶,或者如果您的服务账户没有正确设置Workload Identity User
角色,也会发生这种情况。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.