无法从 GitHub 操作运行 GCP terraform 命令
[英]Unable to run GCP terraform commands from GitHub Actions
问题描述
I have setup keyless authentication for my Github Actions pipeline using Workload Identity Federation by following the official tutorial
我按照官方教程使用 Workload Identity Federation 为我的 Github Actions 管道设置了无密钥身份验证
When running a terraform init command from my pipeline I get the following error:从我的管道运行 terraform init 命令时,出现以下错误:
│ Error: Failed to get existing workspaces: querying Cloud Storage failed: Get "https://storage.googleapis.com/storage/v1/b/lws-dev-common-bucket/o?alt=json&delimiter=%2F&pageToken=&prefix=global%2Fnetworking.state%2F&prettyPrint=false&projection=full&versions=false": oauth2/google: status code 403: {
│ "error": {
│ "code": 403,
│ "message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
│ "status": "PERMISSION_DENIED",
│ "details": [
│ {
│ "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│ "reason": "IAM_PERMISSION_DENIED",
│ "domain": "iam.googleapis.com",
│ "metadata": {
│ "permission": "iam.serviceAccounts.getAccessToken"
│ }
│ }
│ ]
│ }
│ }
I have ensured that the service account that I am using has proper permissions including:我已确保我使用的服务帐户具有适当的权限,包括:
- Cloud Run Admin云运行管理员
- Cloud Run Service Agent Cloud Run 服务代理
Below is a snippet of my pipeline code:下面是我的管道代码片段:
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v0.4.0'
with:
workload_identity_provider: 'projects/385050593732/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
service_account: 'lws-d-iac-sa@lefewaresolutions-poc.iam.gserviceaccount.com'
- name: Terraform Init
working-directory: ./Terraform/QuickStartDeployments/EKSCluster
run: terraform init
and my terraform code:和我的 terraform 代码:
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "3.89.0"
}
}
backend "gcs" {
bucket = "lws-dev-common-bucket"
prefix = "global/networking.state"
}
required_version = ">= 0.14.9"
}
provider "google" {
project = var.project_id
region = var.region
}
module "vpc" {
source = "../../Modules/VPC"
project_id = var.project_id
region = "us-west1"
vpc_name = var.vpc_name
}
2 个解决方案
解决方案1
0 2023-01-18 19:59:20
I ran into the same issue and was able to fix it by granting the service account Service Account Token Creator role in the project IAM page manually我遇到了同样的问题,并且能够通过在项目 IAM 页面中手动授予服务帐户Service Account Token Creator角色来解决它
解决方案2
0 2023-02-01 18:22:10
This can also happen if your service account doesn't have permission to access the storage bucket where your terraform state file is stored, or if your service account doesn't have the Workload Identity User role set properly.如果您的服务账户无权访问存储 terraform state 文件的存储桶,或者如果您的服务账户没有正确设置Workload Identity User角色,也会发生这种情况。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.