英文:
How do I bind `roles/bigquery.jobUser` to a GCP project in terraform?
问题
我正在尝试在BigQuery中运行查询,并且出现以下错误信息:
google.api_core.exceptions.Forbidden: 403 POST https://bigquery.googleapis.com/bigquery/v2/projects/my-project/jobs?prettyPrint=false: Access Denied: Project my-project: User does not have bigquery.jobs.create permission in project my-project.
因此,我需要为我的服务帐号在 my-project
中授予 BigQuery Job User 角色。
最初,我以为我需要将它绑定到 数据集,所以写了以下内容,但实际上需要将绑定应用到 项目。然而,在 Google提供程序的Terraform文档 中,我找不到将事物绑定到项目的类似模式。
当我认为它绑定到数据集时,这是我的代码:
resource "google_bigquery_dataset_iam_binding" "dataset_job_user" {
dataset_id = google_bigquery_dataset.dataset.dataset_id
role = "roles/bigquery.user"
members = [
"serviceAccount:${google_service_account.my_service_account.email}"
]
}
在Terraform中,我该如何将此角色绑定到项目级别呢?
英文:
I'm trying to run a query in BigQuery, and am getting:
google.api_core.exceptions.Forbidden: 403 POST https://bigquery.googleapis.com/bigquery/v2/projects/my-project/jobs?prettyPrint=false: Access Denied: Project my-project: User does not have bigquery.jobs.create permission in project my-project.
So, I need to give my service account the BigQuery Job User role in my-project
.
Initially, I thought that I would bind it to the dataset so wrote the following, but the binding needs to go to the project. However, in the terraform docs for the google provider I can't see a similar pattern for binding things to projects.
Here's what I had when I thought it was bound to the dataset:
resource "google_bigquery_dataset_iam_binding" "dataset_job_user" {
dataset_id = google_bigquery_dataset.dataset.dataset_id
role = "roles/bigquery.user"
members = [
"serviceAccount:${google_service_account.my_service_account.email}"
]
}
How can I bind this role at the project level in terraform?
答案1
得分: 1
因为在文档的侧边栏中没有顶级资源,所以我忽略了terraform提供程序中的项目资源。这与google_project_iam_binding
相对应,需要绑定到它而不是其他地方。
正确的terraform代码是:
resource "google_project_iam_member" "project_bigquery_job_user" {
project = var.project
role = "roles/bigquery.jobUser"
members = [
"serviceAccount:${google_service_account.my_service_account.email}"
]
}
英文:
Because there's no top-level resource inteh sidebar of the docs, I had overlooked the project resource in the terraform provider. This has a corresponding google_project_iam_binding
and needed to bind to this instead.
The correct terraform code is:
resource "google_project_iam_member" "project_bigquery_job_user" {
project = "${var.project}"
role = "roles/bigquery.jobUser"
members = [
"serviceAccount:${google_service_account.my_service_account.email}"
]
}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论