GCP的服务账户无法读取项目。

huangapple go评论60阅读模式
英文:

GCP's service account cannot read project

问题

我的GCP组织具有以下结构

mydomain.com
  - Root-project
  - Development
      - my-project-name

为了使用Terraform自动创建位于我的Development文件夹中的项目,我在Root项目中创建了一个服务帐户,并在Development中创建了一个IAM主体,并授予了Project CreatorProject Deleter权限。

我的Terraform脚本如下所示

terraform {
  required_providers {
    google = {
      source = "hashicorp/google"
      version = "4.68.0"
    }
  }
}

provider "google" {
  scopes = [
    "https://www.googleapis.com/auth/cloud-platform"
  ]
}

resource "google_project" "project" {
  name            = var.project_name
  folder_id       = var.folder_id
  project_id      = var.project_id
  billing_account = var.billing_account_id
}

当我在本地使用gcloud CLI身份验证运行此脚本时,对我的个人帐户和服务帐户都能正常工作。

但当我设置环境变量GOOGLE_CREDENTIALS后运行它时,我能够创建资源,但如果我再次运行它,因为Terraform会刷新状态,它会引发以下错误

Error: Error when reading or editing Project "my-project-id": googleapi: Error 403: Request had insufficient authentication scopes.
│ Details:
│ [
│   {
│     "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│     "domain": "googleapis.com",
│     "metadata": {
│       "method": "google.cloudresourcemanager.v1.Projects.GetProject",
│       "service": "cloudresourcemanager.googleapis.com"
│     },
│     "reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT"
│   }
│ ]
│ More details:
│ Reason: insufficientPermissions, Message: Insufficient Permission

我不明白为什么我能够创建一个项目,但无法获取其数据。在IAM中,我看到我的服务帐户在my-project-name上具有Owner角色。

英文:

My GCP organization has the following structure

mydomain.com
  - Root-project 
  - Development
      - my-project-name

In order to automate the project creation within my Development folder using terraform, I created a service account in the Root project and created an IAM principal in Development and granted Project Creator as well as Project Deleter.

My terraform script looks something like

terraform {
  required_providers {
    google = {
      source = "hashicorp/google"
      version = "4.68.0"
    }
  }
}

provider "google" {
  scopes = [
    "https://www.googleapis.com/auth/cloud-platform"
  ]
}

resource "google_project" "project" {
  name = var.project_name
  folder_id = var.folder_id
  project_id = var.project_id
  billing_account = var.billing_account_id
}

When I run this script locally using glcoud CLI to authenticate on both my personal account and the service account everthing works fine.

When I run it after setting the credentials using the environment variable GOOGLE_CREDENTIALS I'm able to create the resources but if I run it again, as Terraform will refresh states, it throws this error

Error: Error when reading or editing Project "my-project-id": googleapi: Error 403: Request had insufficient authentication scopes.
│ Details:
│ [
│   {
│     "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│     "domain": "googleapis.com",
│     "metadata": {
│       "method": "google.cloudresourcemanager.v1.Projects.GetProject",
│       "service": "cloudresourcemanager.googleapis.com"
│     },
│     "reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT"
│   }
│ ]
│ 
│ More details:
│ Reason: insufficientPermissions, Message: Insufficient Permission

I don't understand how can I be able to create a project but not able to fetch its data. In IAM I see that my service account has the Owner role on my-project-name.

答案1

得分: 1

当您使用CLI gcloud时,可能会使用与Terraform不同的凭据。Terraform使用应用程序默认凭据(ADC)。

运行此命令以确保ADC使用正确的凭据:

gcloud auth application-default login

具有权限问题的API是google.cloudresourcemanager.v1.Projects.GetProject

该API需要权限resourcemanager.projects.get文档

有几个具有该权限的预定义IAM角色。由于您需要创建项目,请在组织或父文件夹级别上添加以下角色:

roles/resourcemanager.projectCreator

ADC配置的凭据没有该权限,或者没有在正确的级别(文件夹或组织)上具有该权限。

英文:

When you are using the CLI gcloud you might be using different credentials than Terraform is using. Terraform uses Application Default Credentials (ADC).

Run this command to make sure ADC is using the correct credentials:

gcloud auth application-default login

The API that has the permission problem is google.cloudresourcemanager.v1.Projects.GetProject

That API requires the permission resourcemanager.projects.get. documentation

There are several predefined IAM Roles with that permission. Since you need to create projects, add the following role at the organization or parent folder level:

roles/resourcemanager.projectCreator

The crentials that ADC is configure for, does not have that permission or does not have that permission at the correct level (folder or organization).

huangapple
  • 本文由 发表于 2023年6月19日 17:13:37
  • 转载请务必保留本文链接:https://go.coder-hub.com/76505212.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定