Permission error 403在使用GitHub动作部署pub sub云函数gen2时发生。

huangapple go评论60阅读模式
英文:

Permission error 403 while deploying pub sub cloud function gen2 using github action

问题

我在尝试使用GitHub Actions部署Pub/Sub Cloud Function Gen2时遇到了权限错误(403),但对于Gen1则没有问题。我已经按照设置部署工作流程的必要步骤进行了操作,但仍然遇到了这个错误。

以下是有关我的设置的一些背景信息:

我有一个用Java编写的Cloud Function,它会在Pub/Sub事件上触发。

我使用GitHub Actions作为我的CI/CD平台。

我已经设置了GitHub Actions访问我的Google Cloud项目所需的凭据和身份验证。

部署工作流似乎一直顺利进行,直到达到部署步骤。在那一点上,我收到以下错误消息:

PermissionError:调用方没有权限

我已经验证GitHub Actions使用的服务帐户具有Pub/Sub和Cloud Functions所需的IAM角色和权限。

以下是我为解决此问题采取的步骤:

  • 检查GitHub Actions使用的服务帐户的IAM角色和权限。它具有roles/pubsub.publisher和roles/cloudfunctions.admin角色。
  • 验证GitHub Actions工作流配置中的项目和服务帐户是否正确。
  • 确保Google Cloud项目中启用了所需的API(Pub/Sub和Cloud Functions)。
  • 使用gcloud命令行工具手动测试部署Cloud Function,测试成功。

尽管付出了这些努力,我仍然无法通过GitHub Actions成功部署Pub/Sub Cloud Function Gen2。

但是,当我尝试将命令从Gen2更改为Gen1时,它可以正常部署,没有任何问题。

非常感谢您提供有关解决此权限错误的见解、建议或可能的解决方案。提前感谢您的帮助。

以下是在GitHub操作中失败的Gen2命令:

gcloud functions deploy spannerdbbackup \
      --runtime java11 \
          --trigger-topic spanner-db-backup \
          --entry-point com.test.function.CreateSpannerBackUp \
          --source target/deployment \
          --region ${{env.REGION}} \
          --project ${{env.PROJECT_ID}} \
          --gen2 \

以下是在没有任何问题的情况下通过的Gen1命令:

gcloud functions deploy spannerdbbackup \
      --runtime java11 \
          --trigger-topic spanner-db-backup \
          --entry-point com.test.function.CreateSpannerBackUp \
          --source target/deployment \
          --region ${{env.REGION}} \
          --project ${{env.PROJECT_ID}} \
英文:

I am facing a permission error (403) while trying to deploy a Pub/Sub Cloud Function Gen2 using GitHub Actions however its passing for gen1 . I have followed the necessary steps to set up the deployment workflow, but I keep encountering this error.

Here is some background information on my setup:

I have a Cloud Function written in java that triggers on a Pub/Sub event.

I am using GitHub Actions as my CI/CD platform.

I have set up the necessary credentials and authentication for GitHub Actions to access my Google Cloud project.

The deployment workflow seems to be working fine until it reaches the deployment step. At that point, I receive the following error message:

PermissionError: The caller does not have permission

I have verified that the service account used by GitHub Actions has the necessary IAM roles and permissions for Pub/Sub and Cloud Functions.

Here are the steps I have taken to troubleshoot the issue:

Checked the IAM roles and permissions of the service account used by GitHub Actions. It has the roles roles/pubsub.publisher and roles/cloudfunctions.admin.

Verified that the project and service account are correct in the GitHub Actions workflow configuration.

Ensured that the necessary APIs (Pub/Sub and Cloud Functions) are enabled in the Google Cloud project.

Manually tested deploying the Cloud Function using the gcloud command-line tool, which was successful.

Despite these efforts, I am still unable to deploy the Pub/Sub Cloud Function Gen2 successfully through GitHub Actions.

However when i tried to modified the command from Gen2 to Gen1 it was deploying properly with no issues

I would greatly appreciate any insights, suggestions, or possible solutions to resolve this permission error. Thank you in advance for your help

Below is Gen2 command which is failing using github action

gcloud functions deploy spannerdbbackup \
      --runtime java11 \
          --trigger-topic spanner-db-backup \
          --entry-point com.test.function.CreateSpannerBackUp \
          --source target/deployment \
          --region ${{env.REGION}} \
          --project ${{env.PROJECT_ID}} \
          --gen2 \

Below is gen1 command which is passing without any issues

gcloud functions deploy spannerdbbackup \
      --runtime java11 \
          --trigger-topic spanner-db-backup \
          --entry-point com.test.function.CreateSpannerBackUp \
          --source target/deployment \
          --region ${{env.REGION}} \
          --project ${{env.PROJECT_ID}} \

答案1

得分: 1

你需要使用以下命令更新你的 gcloud CLI 版本436.0.0

gcloud components update

根据436.0.0 (2023-06-21)的发布说明

修复了在某些情况下,如果调用者缺少获取项目 IAM 策略权限,gcloud functions deploy 可能会失败的问题。

如果你的 gcloud CLI 已经更新到最新版本,我建议你将此问题报告为一个错误,以便 Google Cloud 的工程师进一步调查此问题。

让我知道这是否有帮助。

英文:

You need to update your gcloud CLI version to 436.0.0 by using this command:

gcloud components update

According to this release notes on 436.0.0 (2023-06-21):

> Fixed issue where gcloud functions deploy could fail in certain cases if the caller was missing permissions to get the project IAM policy.

In case that your gcloud CLI is already updated to the latest version, I would suggest to file this one as a bug so that Google Cloud engineers could further investigate on this case.

Let me know if this helps.

huangapple
  • 本文由 发表于 2023年6月22日 00:54:37
  • 转载请务必保留本文链接:https://go.coder-hub.com/76525553.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定