[英](GCP, Terraform) Error creating service account: googleapi: Error 403: Permission iam.serviceAccounts.create is required to perform this operation on
[英]Error creating Job: googleapi: Error 403: lacks IAM permission
目前,在我的开发环境中部署此 Cloud Scheduler 资源时出现以下错误。
1. Step #1 - "Terraform plan": │ Error: Error creating Job: googleapi:
Error 403: The principal (user or service account) lacks IAM
permission "cloudscheduler.jobs.create" for the resource
"projects/whg-dev/locations/us-east1" (or the resource may not
exist).
Step #1 - "Terraform plan": │
Step #1 - "Terraform plan": │ with google_cloud_scheduler_job.scheduler,
Step #1 - "Terraform plan": │ on scheduler_template.tf line 11, in resource "google_cloud_scheduler_job" "scheduler":
Step #1 - "Terraform plan": │ 11: resource "google_cloud_scheduler_job" "scheduler" {
Step #1 - "Terraform plan": │
在我的 TF 配置下面找到,我找不到缺少的东西......
# Google-Cloud-Scheduler
resource "google_project_service" "scheduler_api" {
service = "cloudscheduler.googleapis.com"
provider = google-beta
project = var.project_id
disable_on_destroy = false
}
resource "google_cloud_scheduler_job" "scheduler" {
name = "NotificationsRemindersBatch-test"
description = "test http job"
schedule = "*/30 * * * *"
time_zone = "Etc/UTC"
region = "us-east1"
attempt_deadline = "180s"
project = var.project_id
depends_on = [google_project_service.scheduler_api]
retry_config {
retry_count = 1
}
http_target {
http_method = "POST"
uri = "https://notifications-reminders-service-v35463ja-ue.a.run.app/"
body = base64encode("{\"foo\":\"bar\"}")
}
}
IAM ROLES 配置和授权
这些配置在不同的存储库中设置为 main.tf,这是设置:
resource "google_cloud_run_service_iam_member" "authorize" {
location = google_cloud_run_service.main.location
project = google_cloud_run_service.main.project
service = google_cloud_run_service.main.name
role = "roles/run.invoker"
member = "allUsers"
}
resource "google_project_iam_member" "project" {
count = length(var.roles)
project = google_cloud_run_service.main.project
role = var.roles[count.index]
member = "serviceAccount:${google_service_account.sa.email}"
}
在变量文件夹中也创建了一个“角色”参数。
希望这可以帮助。
正如@John Hanley 所评论的,您可以添加一个服务帐户以便向 GCP API 发出请求。
为了向 GCP API 发出请求,您需要进行身份验证以证明是您发出请求。
此外,我设法复制了您的错误,并通过创建包含Cloud Scheduler Admin
角色的服务帐户成功解决了它。 您可以按照官方文档了解如何创建服务帐户,然后下载密钥
然后通过环境变量传递服务帐户密钥, 如下所示:
export GOOGLE_APPLICATION_CREDENTIALS="path/to/service/account"
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.