在服务帐户上没有编辑角色的情况下创建实例组管理器失败
Creating Instance Group Manager fails without Editor role on service account
我有一个 node.js 应用程序试图创建一个实例组管理器。它在实例上 运行,服务帐户附加到范围为 compute-rw 和 cloud-platform 的实例。此服务帐户的角色具有以下权限:
includedPermissions:
- compute.autoscalers.create
- compute.autoscalers.get
- compute.disks.create
- compute.images.get
- compute.images.useReadOnly
- compute.instanceGroupManagers.create
- compute.instanceGroupManagers.get
- compute.instanceGroupManagers.use
- compute.instanceTemplates.create
- compute.instanceTemplates.get
- compute.instanceTemplates.useReadOnly
- compute.instances.create
- compute.instances.setMetadata
- compute.instances.setTags
- compute.networks.get
- compute.subnetworks.get
- compute.subnetworks.use
查看 resource.type="gce_instance_group_manager" 的审核日志,我可以在第一个日志条目中看到:
ProtoPayload.authorizationInfo:
- granted: true
permission: compute.instanceGroupManagers.create
resourceAttributes:
name: projects/my-project/zones/us-east1-b/instanceGroupManagers/resource-name
service: compute
type: compute.instanceGroupManagers
- granted: true
permission: compute.instanceTemplates.useReadOnly
resourceAttributes:
name: projects/my-project/global/instanceTemplates/resource-name
service: compute
type: compute.instanceTemplates
- granted: true
permission: compute.instances.create
resourceAttributes:
name: projects/my-project/zones/us-east1-b/instances/resource-name-0000
service: compute
type: compute.instances
- granted: true
permission: compute.disks.create
resourceAttributes:
name: projects/my-project/zones/us-east1-b/disks/resource-name-0000
service: compute
type: compute.disks
- granted: true
permission: compute.images.useReadOnly
resourceAttributes:
name: projects/my-project/global/images/resource-name-image
service: compute
type: compute.images
- granted: true
permission: compute.subnetworks.use
resourceAttributes:
name: projects/my-project/regions/us-east1/subnetworks/resource-name-subnet
service: compute
type: compute.subnetworks
- granted: true
permission: compute.instances.setMetadata
resourceAttributes:
name: projects/my-project/zones/us-east1-b/instances/resource-name-0000
service: compute
type: compute.instances
- granted: true
permission: compute.instances.setTags
resourceAttributes:
name: projects/my-project/zones/us-east1-b/instances/resource-name-0000
service: compute
type: compute.instances
我得到了 200 OK,正文中有 status: "PENDING"。
只有在查看审核日志时,我才会看到一个没有解释的带有 status.message: INVALID_PARAMETER 的日志条目,然后是另一个带有:
的日志条目
jsonPayload.error:
- code: SERVICE_ACCOUNT_ACCESS_DENIED
detail_message: ''
location: ''
将编辑者角色附加到服务帐户时,我可以创建实例组管理器,因此似乎缺少一些权限。日志显示没有未授予的权限,所以可能缺少什么?
事实证明,instanceTemplate 将服务帐户附加到实例。因此,创建实例组管理器的实例所使用的服务帐户需要 iam.serviceAccountUser 角色。
在我的例子中,不需要服务帐户,因此我将其从实例模板中删除,上述权限有效。
我有一个 node.js 应用程序试图创建一个实例组管理器。它在实例上 运行,服务帐户附加到范围为 compute-rw 和 cloud-platform 的实例。此服务帐户的角色具有以下权限:
includedPermissions:
- compute.autoscalers.create
- compute.autoscalers.get
- compute.disks.create
- compute.images.get
- compute.images.useReadOnly
- compute.instanceGroupManagers.create
- compute.instanceGroupManagers.get
- compute.instanceGroupManagers.use
- compute.instanceTemplates.create
- compute.instanceTemplates.get
- compute.instanceTemplates.useReadOnly
- compute.instances.create
- compute.instances.setMetadata
- compute.instances.setTags
- compute.networks.get
- compute.subnetworks.get
- compute.subnetworks.use
查看 resource.type="gce_instance_group_manager" 的审核日志,我可以在第一个日志条目中看到:
ProtoPayload.authorizationInfo:
- granted: true
permission: compute.instanceGroupManagers.create
resourceAttributes:
name: projects/my-project/zones/us-east1-b/instanceGroupManagers/resource-name
service: compute
type: compute.instanceGroupManagers
- granted: true
permission: compute.instanceTemplates.useReadOnly
resourceAttributes:
name: projects/my-project/global/instanceTemplates/resource-name
service: compute
type: compute.instanceTemplates
- granted: true
permission: compute.instances.create
resourceAttributes:
name: projects/my-project/zones/us-east1-b/instances/resource-name-0000
service: compute
type: compute.instances
- granted: true
permission: compute.disks.create
resourceAttributes:
name: projects/my-project/zones/us-east1-b/disks/resource-name-0000
service: compute
type: compute.disks
- granted: true
permission: compute.images.useReadOnly
resourceAttributes:
name: projects/my-project/global/images/resource-name-image
service: compute
type: compute.images
- granted: true
permission: compute.subnetworks.use
resourceAttributes:
name: projects/my-project/regions/us-east1/subnetworks/resource-name-subnet
service: compute
type: compute.subnetworks
- granted: true
permission: compute.instances.setMetadata
resourceAttributes:
name: projects/my-project/zones/us-east1-b/instances/resource-name-0000
service: compute
type: compute.instances
- granted: true
permission: compute.instances.setTags
resourceAttributes:
name: projects/my-project/zones/us-east1-b/instances/resource-name-0000
service: compute
type: compute.instances
我得到了 200 OK,正文中有 status: "PENDING"。
只有在查看审核日志时,我才会看到一个没有解释的带有 status.message: INVALID_PARAMETER 的日志条目,然后是另一个带有:
jsonPayload.error:
- code: SERVICE_ACCOUNT_ACCESS_DENIED
detail_message: ''
location: ''
将编辑者角色附加到服务帐户时,我可以创建实例组管理器,因此似乎缺少一些权限。日志显示没有未授予的权限,所以可能缺少什么?
事实证明,instanceTemplate 将服务帐户附加到实例。因此,创建实例组管理器的实例所使用的服务帐户需要 iam.serviceAccountUser 角色。
在我的例子中,不需要服务帐户,因此我将其从实例模板中删除,上述权限有效。