在 Pulumi 中应用 IAM 策略时出现错误的服务帐号。

huangapple go评论103阅读模式
英文:

Error applying IAM policy for service account in Pulumi

问题

我正在尝试创建一个服务账号并分配角色,但是失败了。

这是我从GCP得到的错误信息:

应用于服务账号 'projects/endor-experiments/serviceAccounts/prom-frontend@xperiments.iam.gserviceaccount.com' 的IAM策略时出错:为服务账号 'projects/experiments/serviceAccounts/prom-frontend@experiments.iam.gserviceaccount.com' 设置IAM策略时出错:googleapi: 错误 400:角色 roles/storage.admin 不支持此资源,badRequest

你如何解决这个问题?

英文:

I am trying to create a service account and assign roles, and it fails.

p, err := serviceaccount.NewAccount(ctx, "prom-frontend",
		&serviceaccount.AccountArgs{
			AccountId:   pulumi.String("prom-frontend"),
			DisplayName: pulumi.String("prom-frontend"),
			Project:     pulumi.String(c.Project),
		})
	if err != nil {
		return err
	}

	// create Project Iam policy binding for the service account to the role roles/storage.admin
	_, err = serviceaccount.NewIAMBinding(ctx, "foo-bar-iam-binding", &serviceaccount.IAMBindingArgs{
		Role: pulumi.String("roles/storage.admin"),
		Members: pulumi.StringArray{
			pulumi.String("serviceAccount:prom-frontend@experiments.iam.gserviceaccount.com"),
		},
		ServiceAccountId: p.Name,
	})
	if err != nil {
		return err
	}

This is error I am getting from GCP

>Error applying IAM policy for service account 'projects/endor-experiments/serviceAccounts/prom-frontend@xperiments.iam.gserviceaccount.com': Error setting IAM policy for service account 'projects/experiments/serviceAccounts/prom-frontend@experiments.iam.gserviceaccount.com': googleapi: Error 400: Role roles/storage.admin is not supported for this resource., badRequest

How do I solve this issue?

答案1

得分: 2

您正在尝试修改服务帐号的 IAM 策略。服务帐号不提供云存储服务,因此不支持与存储相关的 IAM 角色。这就是为什么您看到此错误消息的原因:

Role roles/storage.admin 不支持此资源

如果您的目标是授予 IAM 成员对云存储的权限,请修改项目或云存储的 IAM 策略。

服务帐号既是身份,也是资源。

作为身份,您可以为项目/文件夹/组织内的资源授予服务帐号的 IAM 角色。

作为资源,您可以授予其他身份访问服务帐号的 IAM 角色(例如创建令牌)。

英文:

You are trying to modify the service account's IAM policy. A service account does not provide cloud storage services, therefore a storage-related IAM role is not supported. That is why you see this error:

Role roles/storage.admin is not supported for this resource

If your goal is to grant permissions to an IAM member to Cloud Storage, modify the IAM policy of either the project or cloud storage.

A service account is both an identity and a resource.

As an identity, you can grant IAM roles to the service account for resources within a project/folder/organization.

As a resource, you can grant IAM roles to other identities to access the service account (e.g. create tokens).

huangapple
  • 本文由 发表于 2022年10月19日 21:04:49
  • 转载请务必保留本文链接:https://go.coder-hub.com/74125849.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定