使用“--set-sql-instance”参数部署到云 运行 时,云构建权限被拒绝
Cloud build permission denied when deploy to cloud run with "--set-sql-instance" argument
我正在尝试配置构建 maven springboot 项目然后部署到云 运行s 的云构建触发器。我 运行 遇到一个问题,当我没有指定要连接的云 sql 实例时它可以工作,但是当我添加 "--set-cloudsql-instances", "${_DATABASE_CONNECTION_NAME}" 作为参数之一时,它会抛出错误云构建如下:
Step #1: ERROR: (gcloud.beta.run.deploy) PERMISSION_DENIED: The caller does not have permission
Finished Step #1
ERROR
ERROR: build step 1 "gcr.io/cloud-builders/gcloud" failed: exit status 1
以下是我的cloudbuild.yml
steps:
- name: 'gcr.io/kaniko-project/executor:latest'
args:
- --destination=gcr.io/$PROJECT_ID/${_IMAGE_NAME}
- --cache=true
- name: 'gcr.io/cloud-builders/gcloud'
args: [
"beta", "run",
"deploy", "${_SERVICE_NAME}-${_PROFILE}",
"--image", "gcr.io/${PROJECT_ID}/${_IMAGE_NAME}",
"--region", "${_REGION}",
"--platform", "managed",
"--set-cloudsql-instances", "${_DATABASE_CONNECTION_NAME}",
"--allow-unauthenticated",
"--set-env-vars", "SPRING_PROFILES_ACTIVE=${_SPRING_PROFILE},DATABASE_CONNECTION_NAME=${_DATABASE_CONNECTION_NAME},DATABASE_NAME=${_DATABASE_NAME},DATABASE_USERNAME=${_DATABASE_USERNAME},DATABASE_PASSWORD=${_DATABASE_PASSWORD},MINIO_ACCESS_KEY=${_MINIO_ACCESS_KEY},MINIO_SECRET_KEY=${_MINIO_SECRET_KEY},MINIO_HOSTNAME=${_MINIO_HOSTNAME},MINIO_PORT=${_MINIO_PORT}"
]
images:
- gcr.io/${PROJECT_ID}/${_IMAGE_NAME}
并且我已经为服务帐户设置了 roles/permission,如下所示:
{PROJECT_ID}-compute@developer.gserviceaccount.com:编辑器,云 Sql 客户端 <-- 默认 SA<Cloud run service agent>:云 运行 服务代理,云 SQL 客户端<Cloud Build SA>:Cloud Build SA,云 运行 管理员
My Cloud 运行 服务也使用默认服务帐户作为其 SA
确保您还为 Cloud Build 服务帐户授予 iam.serviceAccountUser 角色,允许它在构建期间模拟 Cloud 运行 运行时服务帐户。
gcloud iam service-accounts add-iam-policy-binding
PROJECT_NUMBER-compute@developer.gserviceaccount.com
--member="serviceAccount:PROJECT_NUMBER@cloudbuild.gserviceaccount.com"
--role="roles/iam.serviceAccountUser"
有关详细信息,请参阅 Cloud Run deployment permissions。
我正在使用服务帐户部署具有 sql 个连接的云 运行 函数。我发现服务账号需要以下权限:
- serviceusage.quotas.get
- serviceusage.services.get
- serviceusage.services.list
我正在尝试配置构建 maven springboot 项目然后部署到云 运行s 的云构建触发器。我 运行 遇到一个问题,当我没有指定要连接的云 sql 实例时它可以工作,但是当我添加 "--set-cloudsql-instances", "${_DATABASE_CONNECTION_NAME}" 作为参数之一时,它会抛出错误云构建如下:
Step #1: ERROR: (gcloud.beta.run.deploy) PERMISSION_DENIED: The caller does not have permission
Finished Step #1
ERROR
ERROR: build step 1 "gcr.io/cloud-builders/gcloud" failed: exit status 1
以下是我的cloudbuild.yml
steps:
- name: 'gcr.io/kaniko-project/executor:latest'
args:
- --destination=gcr.io/$PROJECT_ID/${_IMAGE_NAME}
- --cache=true
- name: 'gcr.io/cloud-builders/gcloud'
args: [
"beta", "run",
"deploy", "${_SERVICE_NAME}-${_PROFILE}",
"--image", "gcr.io/${PROJECT_ID}/${_IMAGE_NAME}",
"--region", "${_REGION}",
"--platform", "managed",
"--set-cloudsql-instances", "${_DATABASE_CONNECTION_NAME}",
"--allow-unauthenticated",
"--set-env-vars", "SPRING_PROFILES_ACTIVE=${_SPRING_PROFILE},DATABASE_CONNECTION_NAME=${_DATABASE_CONNECTION_NAME},DATABASE_NAME=${_DATABASE_NAME},DATABASE_USERNAME=${_DATABASE_USERNAME},DATABASE_PASSWORD=${_DATABASE_PASSWORD},MINIO_ACCESS_KEY=${_MINIO_ACCESS_KEY},MINIO_SECRET_KEY=${_MINIO_SECRET_KEY},MINIO_HOSTNAME=${_MINIO_HOSTNAME},MINIO_PORT=${_MINIO_PORT}"
]
images:
- gcr.io/${PROJECT_ID}/${_IMAGE_NAME}
并且我已经为服务帐户设置了 roles/permission,如下所示:
{PROJECT_ID}-compute@developer.gserviceaccount.com:编辑器,云 Sql 客户端 <-- 默认 SA<Cloud run service agent>:云 运行 服务代理,云 SQL 客户端<Cloud Build SA>:Cloud Build SA,云 运行 管理员
My Cloud 运行 服务也使用默认服务帐户作为其 SA
确保您还为 Cloud Build 服务帐户授予 iam.serviceAccountUser 角色,允许它在构建期间模拟 Cloud 运行 运行时服务帐户。
gcloud iam service-accounts add-iam-policy-binding
PROJECT_NUMBER-compute@developer.gserviceaccount.com
--member="serviceAccount:PROJECT_NUMBER@cloudbuild.gserviceaccount.com"
--role="roles/iam.serviceAccountUser"
有关详细信息,请参阅 Cloud Run deployment permissions。
我正在使用服务帐户部署具有 sql 个连接的云 运行 函数。我发现服务账号需要以下权限:
- serviceusage.quotas.get
- serviceusage.services.get
- serviceusage.services.list