Docker-机器无法使用 Google 云服务帐户
Docker-Machine do not work with Google Cloud service account
我使用服务帐户
创建一个google 计算实例
gcloud --project my-proj compute instances create test1 \
--image-family "debian-9" --image-project "debian-cloud" \
--machine-type "g1-small" --network "default" --maintenance-policy "MIGRATE" \
--service-account "gke-build-robot@myproj-184015.iam.gserviceaccount.com" \
--scopes "https://www.googleapis.com/auth/cloud-platform" \
--tags "gitlab-runner" \
--boot-disk-size "10" --boot-disk-type "pd-standard" --boot-disk-device-name "$RESOURCE_NAME" \
--metadata register_token=mytoken,config_bucket=gitlab_config,runner_name=test1,gitlab_uri=myuri,runner_tags=backend \
--metadata-from-file "startup-script=startup-scripts/prepare-runner.sh"
通过 ssh 登录实例:gcloud compute --project "myproj" ssh --zone "europe-west1-b" "gitlab-shared-runner-pool"
安装并配置 docker 机器后。我尝试创建实例:
docker-machine create --driver google --google-project myproj test2
Running pre-create checks...
(test2) Check that the project exists
(test2) Check if the instance already exists
Creating machine...
(test2) Generating SSH Key
(test2) Creating host...
(test2) Opening firewall ports
(test2) Creating instance
(test2) Waiting for Instance
Error creating machine: Error in driver during machine creation: Operation error: {EXTERNAL_RESOURCE_NOT_FOUND The resource '1045904521672-compute@developer.gserviceaccount.com' of type 'serviceAccount' was not found. []}
1045904521672-compute@developer.gserviceaccount.com 是我的默认帐户。
我不明白为什么使用它。因为激活的是 gke-build-robot@myproj-184015.iam.gserviceaccount.com
gcloud config list
[core]
account = gke-build-robot@myproj-184015.iam.gserviceaccount.com
disable_usage_reporting = True
project = novaposhta-184015
Your active configuration is: [default]
gcloud auth list
Credentialed Accounts
ACTIVE ACCOUNT
* gke-build-robot@myproj-184015.iam.gserviceaccount.com
谁能解释一下,我做错了什么?
A similar issue (bosh-google-cpi-release issue 144) 以某种方式暗示
This error message is unclear, particularly because the credentials which also need to be specified in the manifest may be associated with another account altogether.
The default service_account for the bosh-google-cpi-release is set to "default" if it is not proactively set by the bosh manifest, so this will happen anytime you use service_scopes instead of a service_account.
虽然你没有使用 bosh-google-cpi-release,但最后一句话让我仔细检查了 gcloud reference page, in particular gcloud compute instance create。
A service account is an identity attached to the instance. Its access tokens can be accessed through the instance metadata server and are used to authenticate applications on the instance.
The account can be either an email address or an alias corresponding to a service account. You can explicitly specify the Compute Engine default service account using the 'default' alias.
If not provided, the instance will get project's default service account.
好像您的服务帐户被忽略或不正确(并回退到项目默认帐户)
请参阅“Creating and Enabling Service Accounts for Instances”以仔细检查其值:
Usually, the service account's email is derived from the service account ID, in the format:
[SERVICE-ACCOUNT-NAME]@[PROJECT_ID].iam.gserviceaccount.com
或尝试。
有双重问题。
- 首先,docker-machine 无法使用特定的服务帐户,至少在 0.12 和 0.13 版本中是这样。
- Docker+Machine google驱动只有
scope个参数,无法获取具体参数
因此安装了 docker+machine 的实例在指定的 sa 下工作正常。 但使用 docker+ 机器创建的实例必须具有默认服务帐户。
在调试期间,我将其关闭。
结果我遇到了这个错误。
我使用服务帐户
创建一个google 计算实例gcloud --project my-proj compute instances create test1 \
--image-family "debian-9" --image-project "debian-cloud" \
--machine-type "g1-small" --network "default" --maintenance-policy "MIGRATE" \
--service-account "gke-build-robot@myproj-184015.iam.gserviceaccount.com" \
--scopes "https://www.googleapis.com/auth/cloud-platform" \
--tags "gitlab-runner" \
--boot-disk-size "10" --boot-disk-type "pd-standard" --boot-disk-device-name "$RESOURCE_NAME" \
--metadata register_token=mytoken,config_bucket=gitlab_config,runner_name=test1,gitlab_uri=myuri,runner_tags=backend \
--metadata-from-file "startup-script=startup-scripts/prepare-runner.sh"
通过 ssh 登录实例:gcloud compute --project "myproj" ssh --zone "europe-west1-b" "gitlab-shared-runner-pool"
安装并配置 docker 机器后。我尝试创建实例:
docker-machine create --driver google --google-project myproj test2
Running pre-create checks...
(test2) Check that the project exists
(test2) Check if the instance already exists
Creating machine...
(test2) Generating SSH Key
(test2) Creating host...
(test2) Opening firewall ports
(test2) Creating instance
(test2) Waiting for Instance
Error creating machine: Error in driver during machine creation: Operation error: {EXTERNAL_RESOURCE_NOT_FOUND The resource '1045904521672-compute@developer.gserviceaccount.com' of type 'serviceAccount' was not found. []}
1045904521672-compute@developer.gserviceaccount.com 是我的默认帐户。 我不明白为什么使用它。因为激活的是 gke-build-robot@myproj-184015.iam.gserviceaccount.com
gcloud config list
[core]
account = gke-build-robot@myproj-184015.iam.gserviceaccount.com
disable_usage_reporting = True
project = novaposhta-184015
Your active configuration is: [default]
gcloud auth list
Credentialed Accounts
ACTIVE ACCOUNT
* gke-build-robot@myproj-184015.iam.gserviceaccount.com
谁能解释一下,我做错了什么?
A similar issue (bosh-google-cpi-release issue 144) 以某种方式暗示
This error message is unclear, particularly because the credentials which also need to be specified in the manifest may be associated with another account altogether.
The default
service_accountfor thebosh-google-cpi-releaseis set to "default" if it is not proactively set by the bosh manifest, so this will happen anytime you useservice_scopesinstead of aservice_account.
虽然你没有使用 bosh-google-cpi-release,但最后一句话让我仔细检查了 gcloud reference page, in particular gcloud compute instance create。
A service account is an identity attached to the instance. Its access tokens can be accessed through the instance metadata server and are used to authenticate applications on the instance.
The account can be either an email address or an alias corresponding to a service account. You can explicitly specify the Compute Engine default service account using the 'default' alias.If not provided, the instance will get project's default service account.
好像您的服务帐户被忽略或不正确(并回退到项目默认帐户)
请参阅“Creating and Enabling Service Accounts for Instances”以仔细检查其值:
Usually, the service account's email is derived from the service account ID, in the format:
[SERVICE-ACCOUNT-NAME]@[PROJECT_ID].iam.gserviceaccount.com
或尝试
有双重问题。
- 首先,docker-machine 无法使用特定的服务帐户,至少在 0.12 和 0.13 版本中是这样。
- Docker+Machine google驱动只有
scope个参数,无法获取具体参数
因此安装了 docker+machine 的实例在指定的sa下工作正常。 但使用 docker+ 机器创建的实例必须具有默认服务帐户。
在调试期间,我将其关闭。
结果我遇到了这个错误。