使用“--set-sql-instance”参数部署到云运行时,云构建权限被拒绝
[英]Cloud build permission denied when deploy to cloud run with “--set-sql-instance” argument
原文
2019-11-16 18:22:30
3
2
google-cloud-platform/
google-cloud-sql/
google-cloud-build/
google-cloud-run
问题描述
我正在尝试配置构建maven springboot项目然后部署到云运行的云构建触发器。 当我没有指定要连接的云 sql 实例时,我遇到了一个问题,但是当我添加"--set-cloudsql-instances", "${_DATABASE_CONNECTION_NAME}"作为参数之一时,它在云构建上引发错误,如下所示:
Step #1: ERROR: (gcloud.beta.run.deploy) PERMISSION_DENIED: The caller does not have permission
Finished Step #1
ERROR
ERROR: build step 1 "gcr.io/cloud-builders/gcloud" failed: exit status 1
以下是我的cloudbuild.yml
steps:
- name: 'gcr.io/kaniko-project/executor:latest'
args:
- --destination=gcr.io/$PROJECT_ID/${_IMAGE_NAME}
- --cache=true
- name: 'gcr.io/cloud-builders/gcloud'
args: [
"beta", "run",
"deploy", "${_SERVICE_NAME}-${_PROFILE}",
"--image", "gcr.io/${PROJECT_ID}/${_IMAGE_NAME}",
"--region", "${_REGION}",
"--platform", "managed",
"--set-cloudsql-instances", "${_DATABASE_CONNECTION_NAME}",
"--allow-unauthenticated",
"--set-env-vars", "SPRING_PROFILES_ACTIVE=${_SPRING_PROFILE},DATABASE_CONNECTION_NAME=${_DATABASE_CONNECTION_NAME},DATABASE_NAME=${_DATABASE_NAME},DATABASE_USERNAME=${_DATABASE_USERNAME},DATABASE_PASSWORD=${_DATABASE_PASSWORD},MINIO_ACCESS_KEY=${_MINIO_ACCESS_KEY},MINIO_SECRET_KEY=${_MINIO_SECRET_KEY},MINIO_HOSTNAME=${_MINIO_HOSTNAME},MINIO_PORT=${_MINIO_PORT}"
]
images:
- gcr.io/${PROJECT_ID}/${_IMAGE_NAME}
我已经为服务帐户设置了角色/权限,如下所示:
-
{PROJECT_ID}-compute@developer.gserviceaccount.com:编辑,云 Sql 客户端 <-- 默认 SA -
<Cloud run service agent>:云运行服务代理,云SQL客户端 -
<Cloud Build SA>:Cloud Build SA、Cloud Run 管理员
My Cloud Run 服务还使用默认服务帐户作为其 SA
2 个解决方案
解决方案1
5 已采纳 2019-11-17 04:28:11
确保您还为 Cloud Build 服务帐号提供了iam.serviceAccountUser角色,允许它在构建期间模拟 Cloud Run 运行时服务帐号。
gcloud iam service-accounts add-iam-policy-binding
PROJECT_NUMBER-compute@developer.gserviceaccount.com
--member="serviceAccount:PROJECT_NUMBER@cloudbuild.gserviceaccount.com"
--role="roles/iam.serviceAccountUser"
有关详细信息,请参阅Cloud Run 部署权限。
解决方案2
0 2020-02-15 15:27:42
我正在使用服务帐户部署具有 sql 连接的云运行 function。 我发现服务帐号需要以下权限:
- serviceusage.quotas.get
- serviceusage.services.get
- serviceusage.services.list
如何使用云构建在谷歌云上使用云 sql 部署云运行?
[英]How to use cloud build to deploy cloud run with cloud sql on google cloud?
使用```gcloud run deploy```时如何增加云构建超时?
[英]How to increase the cloud build timeout when using ```gcloud run deploy```?
从云存储导入CSV到云SQL时拒绝服务帐户访问(权限问题?)
[英]Access denied for service account (permission issue?) when importing a csv from cloud storage to cloud sql
尝试执行云构建以将应用程序部署到云运行时出错
[英]Getting error when trying to execute cloud build to deploy application to cloud run
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.