英文:
Error applying IAM policy for service account in Pulumi
问题
我正在尝试创建一个服务账号并分配角色,但是失败了。
这是我从GCP得到的错误信息:
应用于服务账号 'projects/endor-experiments/serviceAccounts/prom-frontend@xperiments.iam.gserviceaccount.com' 的IAM策略时出错:为服务账号 'projects/experiments/serviceAccounts/prom-frontend@experiments.iam.gserviceaccount.com' 设置IAM策略时出错:googleapi: 错误 400:角色 roles/storage.admin 不支持此资源,badRequest
你如何解决这个问题?
英文:
I am trying to create a service account and assign roles, and it fails.
p, err := serviceaccount.NewAccount(ctx, "prom-frontend",
&serviceaccount.AccountArgs{
AccountId: pulumi.String("prom-frontend"),
DisplayName: pulumi.String("prom-frontend"),
Project: pulumi.String(c.Project),
})
if err != nil {
return err
}
// create Project Iam policy binding for the service account to the role roles/storage.admin
_, err = serviceaccount.NewIAMBinding(ctx, "foo-bar-iam-binding", &serviceaccount.IAMBindingArgs{
Role: pulumi.String("roles/storage.admin"),
Members: pulumi.StringArray{
pulumi.String("serviceAccount:prom-frontend@experiments.iam.gserviceaccount.com"),
},
ServiceAccountId: p.Name,
})
if err != nil {
return err
}
This is error I am getting from GCP
>Error applying IAM policy for service account 'projects/endor-experiments/serviceAccounts/prom-frontend@xperiments.iam.gserviceaccount.com': Error setting IAM policy for service account 'projects/experiments/serviceAccounts/prom-frontend@experiments.iam.gserviceaccount.com': googleapi: Error 400: Role roles/storage.admin is not supported for this resource., badRequest
How do I solve this issue?
答案1
得分: 2
您正在尝试修改服务帐号的 IAM 策略。服务帐号不提供云存储服务,因此不支持与存储相关的 IAM 角色。这就是为什么您看到此错误消息的原因:
Role roles/storage.admin 不支持此资源
如果您的目标是授予 IAM 成员对云存储的权限,请修改项目或云存储的 IAM 策略。
服务帐号既是身份,也是资源。
作为身份,您可以为项目/文件夹/组织内的资源授予服务帐号的 IAM 角色。
作为资源,您可以授予其他身份访问服务帐号的 IAM 角色(例如创建令牌)。
英文:
You are trying to modify the service account's IAM policy. A service account does not provide cloud storage services, therefore a storage-related IAM role is not supported. That is why you see this error:
Role roles/storage.admin is not supported for this resource
If your goal is to grant permissions to an IAM member to Cloud Storage, modify the IAM policy of either the project or cloud storage.
A service account is both an identity and a resource.
As an identity, you can grant IAM roles to the service account for resources within a project/folder/organization.
As a resource, you can grant IAM roles to other identities to access the service account (e.g. create tokens).
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论