英文:
GCP OS Patch Management fails, is the service account missing a permission?
问题
一个新的Windows Server VM的OS补丁管理作业失败,状态显示为“未检测到代理”。
在Windows GCE VM实例上从PowerShell运行的gcloud os-config troubleshoot命令响应为GetServicePermissionDeniedException。
gcloud compute os-config troubleshoot {VMINSTANCE} --zone={ZONE}
OS Config troubleshooter tool is checking if there are issues with the VM Manager setup for this VM instance.
> Is the OS Config API enabled? Unknown
The troubleshooter encountered GetServicePermissionDeniedException while checking your instance.
所有在参考页面上的手动检查都成功了。
-
osconfig.googleapis.com已启用该项目。 -
Google Cloud OS Config服务代理
service-PROJECT_NUMBER@gcp-sa-osconfig.iam.gserviceaccount.com拥有Cloud OS Config Service Agent角色(roles/osconfig.serviceAgent)。 -
连通性测试通过,可以从PowerShell调用osconfig API。
VM使用自定义服务帐户,范围为["cloud-platform"],但未授予IAM角色,例如roles/compute.instanceAdmin.v1。这是否是自定义服务帐户缺少的工作权限?
[编辑]
使用IAM策略分析器,我确认自定义服务帐户在目标VM实例资源上具有Compute Instance Admin(v1)权限。
英文:
An OS Patch Management job for a new Windows Server VM fails with status No agent detected.
The gcloud os-config troublshoot command running from PowerShell on a windows GCE VM instance responds with GetServicePermissionDeniedException.
gcloud compute os-config troubleshoot {VMINSTANCE} --zone={ZONE}
OS Config troubleshooter tool is checking if there are issues with the VM Manager setup for this VM instance.
> Is the OS Config API enabled? Unknown
The troubleshooter encountered GetServicePermissionDeniedException while checking your instance.
All of the manual checks on that reference page succeed.
-
osconfig.googleapis.comis enabled for the project. -
The Google Cloud OS Config Service Agent
service-PROJECT_NUMBER@gcp-sa-osconfig.iam.gserviceaccount.comhas the roleCloud OS Config Service Agent(roles/osconfig.serviceAgent). -
The connectivity tests pass and osconfig api can be called from PowerShell.
The VM uses a custom service account with scopes = ["cloud-platform"] but no IAM roles have been granted such as roles/compute.instanceAdmin.v1.
Is the custom service account missing a permission for this to work?
[EDIT]
Using IAM Policy Analyser I confirmed that the custom service account has Compute Instance Admin (v1) on the target VM instance resource.
答案1
得分: 1
使用调试运行相同命令,异常信息将变得清晰:
gcloud compute os-config troubleshoot {VMINSTANCE} --zone={ZONE} --verbosity debug
在处理上述异常时,发生了另一个异常:
serviceusage.services.get
googlecloudsdk.api_lib.services.exceptions.GetServicePermissionDeniedException: PERMISSION_DENIED: Permission denied to get service [osconfig.googleapis.com]
error_code=110002&service=serviceusage.googleapis.com&permission=serviceusage.services.get&resource={PROJECT}
type: googleapis.com
- '@type': type.googleapis.com/google.rpc.ErrorInfo
domain: serviceusage.googleapis.com
metadata:
permission: serviceusage.services.get
resource:
service: serviceusage.googleapis.com
reason: AUTH_PERMISSION_DENIED
或
ERROR: (gcloud.compute.os-config.troubleshoot) Could not fetch resource:
- Required 'compute.projects.get' permission for 'projects/PROJECT'
或 "permission": "osconfig.inventories.get"
因此,请为该实例的服务帐户授予以下角色:
- roles/serviceusage.serviceUsageConsumer(在项目上)
- roles/compute.osLogin。
- roles/osconfig.inventoryViewer
现在 troubleshoot 运行成功,我可以看到在我的情况下,通过移除此 VM 的元数据字段 osconfig-disabled-features=tasks,已解决了 "No agent detected" 问题。
英文:
Run the same command with debug and the exception is clear
gcloud compute os-config troubleshoot {VMINSTANCE} --zone={ZONE} --verbosity debug
During handling of the above exception, another exception occurred:
serviceusage.services.get
googlecloudsdk.api_lib.services.exceptions.GetServicePermissionDeniedException: PERMISSION_DENIED: Permission denied to get service [osconfig.googleapis.com]
error_code=110002&service=serviceusage.googleapis.com&permission=serviceusage.services.get&resource={PROJECT}
type: googleapis.com
- '@type': type.googleapis.com/google.rpc.ErrorInfo
domain: serviceusage.googleapis.com
metadata:
permission: serviceusage.services.get
resource:
service: serviceusage.googleapis.com
reason: AUTH_PERMISSION_DENIED
Or
ERROR: (gcloud.compute.os-config.troubleshoot) Could not fetch resource:
- Required 'compute.projects.get' permission for 'projects/PROJECT'
Or "permission": "osconfig.inventories.get"
So give the instance's service account these roles:
- roles/serviceusage.serviceUsageConsumer (on the project)
- roles/compute.osLogin.
- roles/osconfig.inventoryViewer
Now the troubleshoot runs, I can see that in my case, the No agent detected issue was resolved by removing this VM metadata field:
osconfig-disabled-features=tasks.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论