![](/img/trans.png)
[英](Terraform, GCP) Error 403: Permission iam.serviceAccounts.setIamPolicy is required to perform this operation on service account projects/myproject-17
[英]Terraform throws Error setting IAM policy for service account ... Permission iam.serviceAccounts.setIamPolicy is required
我正在尝试使用 Terraform 在 GCP 上创建一个非常简单的结构:计算实例 + 存储桶。 我对 GCP 文档、Terraform 文档以及 SO 问题进行了一些研究,但仍然无法理解这里的诀窍。 有一个使用google_project_iam_binding
的建议,但阅读一些文章似乎很危险(阅读:不安全的解决方案)。 还有一个只有 GCP 描述的一般答案,nit using tf terms here ,这仍然有点令人困惑。 并且在这里总结类似的问题,我确认域名所有权已通过 Google 控制台验证。
所以,我最终得到以下结果:
data "google_iam_policy" "admin" {
binding {
role = "roles/iam.serviceAccountUser"
members = [
"user:myemail@domain.name",
"serviceAccount:${google_service_account.serviceaccount.email}",
]
}
}
resource "google_service_account" "serviceaccount" {
account_id = "sa-1"
}
resource "google_service_account_iam_policy" "admin-acc-iam" {
service_account_id = google_service_account.serviceaccount.name
policy_data = data.google_iam_policy.admin.policy_data
}
resource "google_storage_bucket_iam_policy" "policy" {
bucket = google_storage_bucket.storage_bucket.name
policy_data = data.google_iam_policy.admin.policy_data
}
resource "google_compute_network" "vpc_network" {
name = "vpc-network"
auto_create_subnetworks = "true"
}
resource "google_compute_instance" "instance_1" {
name = "instance-1"
machine_type = "f1-micro"
boot_disk {
initialize_params {
image = "cos-cloud/cos-stable"
}
}
network_interface {
network = google_compute_network.vpc_network.self_link
access_config {
}
}
}
resource "google_storage_bucket" "storage_bucket" {
name = "bucket-1"
location = "US"
force_destroy = true
website {
main_page_suffix = "index.html"
not_found_page = "404.html"
}
cors {
origin = ["http://the.domain.name"]
method = ["GET", "HEAD", "PUT", "POST", "DELETE"]
response_header = ["*"]
max_age_seconds = 3600
}
}
但如果我terraform apply
,日志会显示这样的错误
Error: Error setting IAM policy for service account 'trololo': googleapi: Error 403: Permission iam.serviceAccounts.setIamPolicy is required to perform this operation on service account trololo., forbidden
2020/09/28 19:19:34 [TRACE] statemgr.Filesystem: removing lock metadata file .terraform.tfstate.lock.info
on main.tf line 35, in resource "google_service_account_iam_policy" "admin-acc-iam":
35: resource "google_service_account_iam_policy" "admin-acc-iam" {
2020/09/28 19:19:34 [TRACE] statemgr.Filesystem: unlocking terraform.tfstate using fcntl flock
Error: googleapi: Error 403: The bucket you tried to create is a domain name owned by another user., forbidden
on main.tf line 82, in resource "google_storage_bucket" "storage_bucket":
和一些无用的调试信息。 怎么了? 哪个帐户缺少哪些权限以及如何安全地分配它们?
我发现了问题。 与往常一样,在 90% 的情况下,问题都出在计算机前面。
以下是帮助我理解和解决问题的步骤:
terraform destroy
也非常重要,因为没有回滚新基础设施更改的不成功部署(例如数据库迁移) - 因此您必须使用销毁或手动清理"user:${var.admin_email}"
用户帐户 IAM 策略,因为它没用; 一切都必须由新创建的服务帐户管理roles/iam.serviceAccountAdmin
而不是User
- 感谢 @Wojtek_B 的提示在此之后一切顺利!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.