Github 对 Google Cloud Functions 的操作“Constraint constraints/gcp.resourceLocations violated for projects/GOOGLE_PROJECT_ID attempted GenerateU

Question

我正在尝试构建一个存储在 Github 中的 Python 应用程序，我想在 Google Cloud Functions 上运行它。

我遵循了本教程： https://blog.leandrotoledo.org/deploying-google-cloud-functions-using-github-actions-and-workload-identity-authentication/

.github/workflows/main.yaml

看起来像这样（workload_identity_provider 和 service_account 更改为我的值）

# This is a basic workflow to help you get started
name: CD

# Controls when the workflow will run
on:
  # Triggers the workflow on push or pull request events but only for the main branch
  push:
    branches: [main]
  pull_request:
    branches: [main]

  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
  # This workflow contains a single job called "deploy"
  deploy:
    # The type of runner that the job will run on
    runs-on: ubuntu-latest

    # Add "id-token" with the intended permissions.
    permissions:
      contents: "read"
      id-token: "write"

    # Steps represent a sequence of tasks that will be executed as part of the job
    steps:
      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
      - uses: actions/checkout@v2

      - id: "auth"
        name: "Authenticate to Google Cloud"
        uses: "google-github-actions/auth@v0"
        with:
          # Replace with your Workload Identity Provider Location
          workload_identity_provider: "$WORKLOAD_IDENTITY_PROVIDER_LOCATION"
          # Replace with your GitHub Service Account
          service_account: "$SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com"

      - id: "deploy"
        uses: "google-github-actions/deploy-cloud-functions@v0"
        with:
          # Name of the Cloud Function, same as the entry point name
          name: "helloWorld"
          # Runtime to use for the function
          runtime: "python3.10"

      # Example of using the output
      - id: "test"
        run: 'curl "${{ steps.deploy.outputs.url }}"'

这在 Github 操作中给我以下错误：

Run google-github-actions/deploy-cloud-functions@v0
  with:
    name: helloWorld
    runtime: python3.10
    region: us-central1
    source_dir: ./
    timeout: 60s
    https_trigger_security_level: security_level_unspecified
    event_trigger_retry: false
    deploy_timeout: 300
    docker_registry: container-registry
  env:
    CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/helloWorld/helloWorld/gha-creds-xxx.json
    GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/helloWorld/helloWorld/gha-creds-xxx.json
    GOOGLE_GHA_CREDS_PATH: /home/runner/work/helloWorld/helloWorld/gha-creds-xxx.json
    CLOUDSDK_CORE_PROJECT: engineering-infra
    CLOUDSDK_PROJECT: engineering-infra
    GCLOUD_PROJECT: engineering-infra
    GCP_PROJECT: engineering-infra
    GOOGLE_CLOUD_PROJECT: engineering-infra
Extracted project ID 'engineering-infra' from $GCLOUD_PROJECT
Created zip file from './' at '/tmp/cfsrc-xxx.zip'
Error: google-github-actions/deploy-cloud-functions failed with: failed to upload zip file: Failed to POST https://cloudfunctions.googleapis.com/v1/projects/engineering-infra/locations/us-central1/functions:generateUploadUrl: (400) {
  "error": {
    "code": 400,
    "message": "The request has violated one or more Org Policies. Please refer to the respective violations for more information.",
    "status": "FAILED_PRECONDITION",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.PreconditionFailure",
        "violations": [
          {
            "type": "constraints/gcp.resourceLocations",
            "subject": "orgpolicy:projects/engineering-infra",
            "description": "Constraint constraints/gcp.resourceLocations violated for projects/engineering-infra attempting GenerateUploadUrlActionV1 with location set to us-central1. See https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints for more information."
          }
        ]
      }
    ]
  }
}

我位于北欧，所以我想使用 Findland。

Answer 1

可能有多种情况可能导致您遇到的错误。

您能否验证您的服务帐户是否具有足够的权限，例如项目上的iam.serviceAccountUser和iam.cloudFunctionsDeveloper角色？ 您可以在文档中查看详细信息。

您是否检查过上面共享的博客/教程中链接的Stackoverflow ？

另一种情况可能是，如果组织策略：资源位置限制不允许多区域（例如包含两个或更多地理位置的欧盟、美国或亚洲），但允许您要部署 function 的区域（例如我们-central1-locations)，则 function 将无法部署并出现此错误。

如果这与您的用例相关，您可以在组织策略中允许多区域：资源位置限制，或者您可以临时更改资源位置约束以允许多区域，然后部署 function，然后编辑组织策略到区域限制。 有关详细信息，您可以查看文档