`IAM_PERMISSION_DENIED` on a deployed service on GCP, but no errors on localhost

huangapple go评论111阅读模式
英文:

`IAM_PERMISSION_DENIED` on a deployed service on GCP, but no errors on localhost

问题

我在检查GCP中部署的容器日志时遇到了一个错误,错误详情如下:error details: name = ErrorInfo reason = IAM_PERMISSION_DENIED domain = iam.googleapis.com metadata = map[permission:logging.logEntries.create]。我不确定为什么会出现这个错误,因为在本地主机上运行容器似乎没有问题。

该服务与另一个服务部署在同一主机上,但端口号不同,另一个服务似乎工作正常,尽管它没有使用任何Google API服务。

在GCP上出现错误的服务有一个名为.env的文件,内容如下:

GOOGLE_APPLICATION_CREDENTIALS=json/name-of-json-file.json

其中json文件是服务账号密钥文件。Dockerfile如下所示:

# 指定父镜像
FROM golang:1.19.2-bullseye

# 创建一个应用目录来保存应用的源代码
WORKDIR /app

# 将根目录下的所有文件复制到/app目录下
COPY . .

# 安装Go依赖
RUN go mod download

# 使用可选配置构建应用
RUN go build -o /logging-go

# 告诉Docker容器监听的网络端口号
EXPOSE 8040

# 指定容器启动时运行的可执行命令
CMD ["/logging-go"]

该服务使用Google Logging API,并通过以下代码进行访问:

    c, cErr := Load(".env")
	if cErr != nil {
		log.Fatalf("could not load config: %s", cErr)
		return
	}

	// 初始化写入stdout的日志记录器
	ctx := context.Background()
	opt := option.WithCredentialsFile(c.GoogleApplicationCredentials)
	loggerClient, clientErr := logging.NewClient(ctx, "poc-projects-01", opt)
	if clientErr != nil {
		log.Fatal(clientErr)
	}

	if clientErr := loggerClient.Ping(ctx); clientErr != nil {
		log.Fatal(clientErr)
	}

	logger := loggerClient.Logger("frontend_logs")

在本地主机上使用Docker运行时,它可以正常工作,但在GCP上却无法工作。有什么办法可以解决这个问题吗?

英文:

I'm getting an error details: name = ErrorInfo reason = IAM_PERMISSION_DENIED domain = iam.googleapis.com metadata = map[permission:logging.logEntries.create] when I check the logs of a deployed container in GCP. I'm not sure why this is happening since running the container in localhost seems to work fine.

The service is also deployed on the same host with another service but with a different port number, the other service seems to be working fine, although that didn't use any google API services.

The service having the error on GCP has a .env file with this content:

GOOGLE_APPLICATION_CREDENTIALS=json/name-of-json-file.json

With the json file being the service account keys file. The dockerfile looks like this:

# Specifies a parent image
FROM golang:1.19.2-bullseye

# Creates an app directory to hold your app’s source code
WORKDIR /app

# Copies everything from your root directory into /app
COPY . .

# Installs Go dependencies
RUN go mod download

# Builds your app with optional configuration
RUN go build -o /logging-go

# Tells Docker which network port your container listens on
EXPOSE 8040

# Specifies the executable command that runs when the container starts
CMD [ "/logging-go" ]

The service is making use of the google logging API and is accessed through this snipper of code:

    c, cErr := Load(".env")
	if cErr != nil {
		log.Fatalf("could not load config: %s", cErr)
		return
	}

	// initializes logger which writes to stdout
	ctx := context.Background()
	opt := option.WithCredentialsFile(c.GoogleApplicationCredentials);
	loggerClient, clientErr := logging.NewClient(ctx, "poc-projects-01", opt)
	if clientErr != nil {
		log.Fatal(clientErr)
	}

	if clientErr := loggerClient.Ping(ctx); clientErr != nil {
		log.Fatal(clientErr)
	}

	logger := loggerClient.Logger("frontend_logs")

It works fine on my localhost when running it through docker, but it doesn't work on GCP. Any ideas on how I can fix this?

答案1

得分: 0

上述错误意味着在尝试从部署的容器中访问Google Logging API时,您遇到了权限问题。这可能是由于您使用的服务帐号密钥没有正确的权限访问API,或者服务帐号密钥没有正确配置引起的。

为确保服务帐号密钥具有正确的权限,您应该检查与服务帐号关联的IAM角色,并确保这些角色具有正确的权限以访问Google Logging API。请检查您的服务帐号是否被分配了'logging.logEntries.create'角色。

附上故障排除文档供参考。

英文:

> error details: name = ErrorInfo reason = IAM_PERMISSION_DENIED domain
> = iam.googleapis.com metadata = map[permission:logging.logEntries.create]

Above error means you have a permissions issue when trying to access the Google Logging API from your deployed container. This could occur if the service account key you are using does not have the correct permissions to access the API, or if the service account key has not been properly configured.

To ensure that the service account key has the correct permissions, you should check the IAM roles associated with the service account and make sure that the roles have the correct permissions to access the Google Logging API, check whether do you have ‘logging.logEntries.create’ role assigned to your service account.

Attaching troubleshooting document for reference.

答案2

得分: 0

我知道我在服务帐户密钥上有正确的权限,甚至有一个DevOps人员为我创建了一个,但它仍然无法正常工作。我发现在GCP上使用默认的服务帐户密钥最终使其正常工作。

英文:

I know I have correct permissions on my service account keys and even had one of the DevsOps people create me one but it still wasn't working. I found that using the default service account key finally got it working on GCP.

huangapple
  • 本文由 发表于 2023年2月10日 10:29:33
  • 转载请务必保留本文链接:https://go.coder-hub.com/75406388.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定