GCP - Cloud Composer 2 - 在此环境上创建操作失败

Question

我试图在 GCP 上创建一个默认的 Composer 2 实例并得到错误：

CREATE operation on this environment failed 32 minutes ago with the following error message:
Composer Backend timed out. Currently running tasks are [stage: CP_COMPOSER_AGENT_RUNNING
description: "No agent response published."
...

或者

CREATE operation on this environment failed 32 minutes ago with the following error message:
Environment couldn't be created, but no error was surfaced. This can be cause by a lack of 
proper permissions. Check if this environment's service account ... .iam.gserviceaccount.com 
has the 'roles/composer.worker' role and there is no firewall inhibiting internal 
communications set.

我已经尝试在https://cloud.google.com/composer/docs/composer-2/access-control 中将Composer Worker 角色添加到服务帐户和所有其他必需的角色（例如 Cloud Composer v2 API Service Agent Extension） （对于公共和私有，尽管实例是公共的）。

我查看了 GKE 实例，发现 Pod composer-agent 失败了：

Traceback (most recent call last): File "composer_agent.py", line 467, in <module> main() File "composer_agent.py", line 292, in main responses = pubsub_subscriber.pull() (...)
oauth2client.client.HttpAccessTokenRefreshError: Failed to retrieve
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/(...)
compute@developer.gserviceaccount.com/token from the Google Compute Enginemetadata service. 
Response:
{'date': 'Thu, 17 Feb 2022 10:29:46 GMT', 'status': '403', 'content-length': '668', 'content- 
type': 'text/plain; charset=utf-8', 'x-content-type-options': 'nosniff'}

所以我假设仍然存在一些权限问题，但我无法弄清楚是什么，可以毫无问题地创建 Composer 1 实例，以及对服务帐户具有相同权限的不同项目 Composer 2 实例。

我还尝试创建具有所需权限的不同于默认计算服务帐户，但也没有成功。 我还检查了我要添加权限的服务帐户实际上是在 composer-agent 中发送请求的服务帐户，并且正在向 GKE 集群发送环境创建请求。

希望哪位遇到过类似问题或者对composer-agent中出现的错误有比较了解的可以帮忙，万分感谢！

Answer 1

与 Google 支持团队联系后，解决方案是手动启用“IAM 服务帐户凭据 API”。 服务帐户权限或防火墙设置没有问题。