Google Cloud DNS与Certbot(通配符)出现权限问题

huangapple go评论86阅读模式
英文:

Google Cloud DNS with Certbot (Wildcard) Giving Permission Issues

问题

我正在尝试使用Certbot颁发包括通配符的证书。对于google-dns说明很清楚,但我遇到了权限问题,出现以下权限问题。

遇到403 Forbidden错误,原因是“权限不足”
遇到403 Forbidden错误,原因是“权限不足”
找不到区域的错误。跳过清理。
遇到错误查找托管区域:<HttpError 403 when requesting https://dns.googleapis.com/dns/v1/projects/example/managedZones?dnsName=example.com.&alt=json returned "Request had insufficient authentication scopes.". 详细信息:"[{'message': 'Insufficient Permission', 'domain': 'global', 'reason': 'insufficientPermissions'}]">

我已将DNS区域权限添加为DNS管理员角色,并将DNS读取者角色添加为我的项目IAM权限,主要使用我的主要电子邮件账户。发生了什么情况?

英文:

I am trying to issue certificates including a wildcard using Certbot. The instructions for google-dns are clear, but I am stuck on the permissions and getting the following permission issue.

Encountered 403 Forbidden with reason "insufficientPermissions"
Encountered 403 Forbidden with reason "insufficientPermissions"
Error finding zone. Skipping cleanup.
Encountered error finding managed zone: <HttpError 403 when requesting https://dns.googleapis.com/dns/v1/projects/example/managedZones?dnsName=example.com.&alt=json returned "Request had insufficient authentication scopes.". Details: "[{'message': 'Insufficient Permission', 'domain': 'global', 'reason': 'insufficientPermissions'}]">

I've added DNS Admin role to my DNS Zone Permissions and DNS Reader role to my Project IAM Permissions under the principle of my main email for the account. What is going on?

答案1

得分: 1

很可能您没有使用您认为的凭据。

默认情况下,该插件将使用由CLI gcloud 设置的ADC(应用程序默认凭据)。您可能没有使用正确的帐户设置这些凭据。

运行命令 gcloud auth application-default login 并重试。

您的另一个选择是使用插件命令标志 --dns-google-credentials 来指定服务帐户JSON密钥文件。

英文:

Most likely you are not using the credentials that you think you are.

By default, the plugin will use ADC (Application Default Credentials) that are set up by the CLI gcloud. You might not have set up those credentials with the correct account.

Run the command gcloud auth application-default login and try again.

Your other option is to use the plugin command flag --dns-google-credentials to specify the service account JSON key file.

huangapple
  • 本文由 发表于 2023年7月28日 05:29:14
  • 转载请务必保留本文链接:https://go.coder-hub.com/76783509.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定