如何在 terraform 中将 `roles/bigquery.jobUser` 绑定到 GCP 项目?

huangapple go评论91阅读模式
英文:

How do I bind `roles/bigquery.jobUser` to a GCP project in terraform?

问题

我正在尝试在BigQuery中运行查询,并且出现以下错误信息:

google.api_core.exceptions.Forbidden: 403 POST https://bigquery.googleapis.com/bigquery/v2/projects/my-project/jobs?prettyPrint=false: Access Denied: Project my-project: User does not have bigquery.jobs.create permission in project my-project.

因此,我需要为我的服务帐号在 my-project 中授予 BigQuery Job User 角色。

最初,我以为我需要将它绑定到 数据集,所以写了以下内容,但实际上需要将绑定应用到 项目。然而,在 Google提供程序的Terraform文档 中,我找不到将事物绑定到项目的类似模式。

当我认为它绑定到数据集时,这是我的代码:

resource "google_bigquery_dataset_iam_binding" "dataset_job_user" {
  dataset_id = google_bigquery_dataset.dataset.dataset_id
  role   = "roles/bigquery.user"
  members = [
    "serviceAccount:${google_service_account.my_service_account.email}"
  ]
}

在Terraform中,我该如何将此角色绑定到项目级别呢?

英文:

I'm trying to run a query in BigQuery, and am getting:

google.api_core.exceptions.Forbidden: 403 POST https://bigquery.googleapis.com/bigquery/v2/projects/my-project/jobs?prettyPrint=false: Access Denied: Project my-project: User does not have bigquery.jobs.create permission in project my-project.

So, I need to give my service account the BigQuery Job User role in my-project.

Initially, I thought that I would bind it to the dataset so wrote the following, but the binding needs to go to the project. However, in the terraform docs for the google provider I can't see a similar pattern for binding things to projects.

Here's what I had when I thought it was bound to the dataset:

resource "google_bigquery_dataset_iam_binding" "dataset_job_user" {
  dataset_id = google_bigquery_dataset.dataset.dataset_id
  role   = "roles/bigquery.user"
  members = [
    "serviceAccount:${google_service_account.my_service_account.email}"
  ]
}

How can I bind this role at the project level in terraform?

答案1

得分: 1

因为在文档的侧边栏中没有顶级资源,所以我忽略了terraform提供程序中的项目资源。这与google_project_iam_binding相对应,需要绑定到它而不是其他地方。

正确的terraform代码是:

resource "google_project_iam_member" "project_bigquery_job_user" {
  project = var.project
  role    = "roles/bigquery.jobUser"
  members = [
    "serviceAccount:${google_service_account.my_service_account.email}"
  ]
}
英文:

Because there's no top-level resource inteh sidebar of the docs, I had overlooked the project resource in the terraform provider. This has a corresponding google_project_iam_binding and needed to bind to this instead.

The correct terraform code is:

resource "google_project_iam_member" "project_bigquery_job_user" {
  project = "${var.project}"
  role    = "roles/bigquery.jobUser"
  members = [
    "serviceAccount:${google_service_account.my_service_account.email}"
  ]
}

huangapple
  • 本文由 发表于 2023年8月9日 17:13:13
  • 转载请务必保留本文链接:https://go.coder-hub.com/76866233-2.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定