GCP操作系统补丁管理失败,服务帐号是否缺少权限?

huangapple go评论105阅读模式
英文:

GCP OS Patch Management fails, is the service account missing a permission?

问题

一个新的Windows Server VM的OS补丁管理作业失败,状态显示为“未检测到代理”。

在Windows GCE VM实例上从PowerShell运行的gcloud os-config troubleshoot命令响应为GetServicePermissionDeniedException

gcloud compute os-config troubleshoot {VMINSTANCE} --zone={ZONE}
OS Config troubleshooter tool is checking if there are issues with the VM Manager setup for this VM instance.

> Is the OS Config API enabled? Unknown
The troubleshooter encountered GetServicePermissionDeniedException while checking your instance.

所有在参考页面上的手动检查都成功了。

  • osconfig.googleapis.com已启用该项目。

  • Google Cloud OS Config服务代理service-PROJECT_NUMBER@gcp-sa-osconfig.iam.gserviceaccount.com拥有Cloud OS Config Service Agent角色(roles/osconfig.serviceAgent)。

  • 连通性测试通过,可以从PowerShell调用osconfig API。

VM使用自定义服务帐户,范围为["cloud-platform"],但未授予IAM角色,例如roles/compute.instanceAdmin.v1。这是否是自定义服务帐户缺少的工作权限?

[编辑]
使用IAM策略分析器,我确认自定义服务帐户在目标VM实例资源上具有Compute Instance Admin(v1)权限。

英文:

An OS Patch Management job for a new Windows Server VM fails with status No agent detected.

The gcloud os-config troublshoot command running from PowerShell on a windows GCE VM instance responds with GetServicePermissionDeniedException.

gcloud compute os-config troubleshoot {VMINSTANCE} --zone={ZONE}
OS Config troubleshooter tool is checking if there are issues with the VM Manager setup for this VM instance.

> Is the OS Config API enabled? Unknown
The troubleshooter encountered GetServicePermissionDeniedException while checking your instance.

All of the manual checks on that reference page succeed.

  • osconfig.googleapis.com is enabled for the project.

  • The Google Cloud OS Config Service Agent service-PROJECT_NUMBER@gcp-sa-osconfig.iam.gserviceaccount.com has the role Cloud OS Config Service Agent (roles/osconfig.serviceAgent).

  • The connectivity tests pass and osconfig api can be called from PowerShell.

The VM uses a custom service account with scopes = ["cloud-platform"] but no IAM roles have been granted such as roles/compute.instanceAdmin.v1.

Is the custom service account missing a permission for this to work?

[EDIT]
Using IAM Policy Analyser I confirmed that the custom service account has Compute Instance Admin (v1) on the target VM instance resource.

答案1

得分: 1

使用调试运行相同命令,异常信息将变得清晰:

gcloud compute os-config troubleshoot {VMINSTANCE} --zone={ZONE} --verbosity debug

在处理上述异常时,发生了另一个异常:

serviceusage.services.get
googlecloudsdk.api_lib.services.exceptions.GetServicePermissionDeniedException: PERMISSION_DENIED: Permission denied to get service [osconfig.googleapis.com]
error_code=110002&service=serviceusage.googleapis.com&permission=serviceusage.services.get&resource={PROJECT}
type: googleapis.com
- '@type': type.googleapis.com/google.rpc.ErrorInfo
  domain: serviceusage.googleapis.com
  metadata:
    permission: serviceusage.services.get
    resource: 
    service: serviceusage.googleapis.com
  reason: AUTH_PERMISSION_DENIED

ERROR: (gcloud.compute.os-config.troubleshoot) Could not fetch resource:
 - Required 'compute.projects.get' permission for 'projects/PROJECT'

或 "permission": "osconfig.inventories.get"

因此,请为该实例的服务帐户授予以下角色:

  • roles/serviceusage.serviceUsageConsumer(在项目上)
  • roles/compute.osLogin。
  • roles/osconfig.inventoryViewer

现在 troubleshoot 运行成功,我可以看到在我的情况下,通过移除此 VM 的元数据字段 osconfig-disabled-features=tasks,已解决了 "No agent detected" 问题。

英文:

Run the same command with debug and the exception is clear

gcloud compute os-config troubleshoot {VMINSTANCE} --zone={ZONE} --verbosity debug

During handling of the above exception, another exception occurred:
serviceusage.services.get 
    googlecloudsdk.api_lib.services.exceptions.GetServicePermissionDeniedException: PERMISSION_DENIED: Permission denied to get service [osconfig.googleapis.com]
error_code=110002&service=serviceusage.googleapis.com&permission=serviceusage.services.get&resource={PROJECT}
    type: googleapis.com
- '@type': type.googleapis.com/google.rpc.ErrorInfo
  domain: serviceusage.googleapis.com
  metadata:
    permission: serviceusage.services.get
    resource: 
    service: serviceusage.googleapis.com
  reason: AUTH_PERMISSION_DENIED

Or

ERROR: (gcloud.compute.os-config.troubleshoot) Could not fetch resource:

  • Required 'compute.projects.get' permission for 'projects/PROJECT'

Or "permission": "osconfig.inventories.get"

So give the instance's service account these roles:

  • roles/serviceusage.serviceUsageConsumer (on the project)
  • roles/compute.osLogin.
  • roles/osconfig.inventoryViewer

Now the troubleshoot runs, I can see that in my case, the No agent detected issue was resolved by removing this VM metadata field:
osconfig-disabled-features=tasks.

huangapple
  • 本文由 发表于 2023年7月20日 10:46:43
  • 转载请务必保留本文链接:https://go.coder-hub.com/76726369.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定