Google 通过 Terraform 分配云服务帐户 datastore.owner
Google Cloud Service Account assign datastore.owner via Terraform
我在 Terraform 中创建了一个 Google 云服务帐户用户:
resource "google_service_account" "firestore_sa" {
account_id = "firestore_sa_${random_id.project-unique-id.hex}"
}
我想授予服务帐户所有者访问 Firestore 的权限,但没有成功:
resource "google_service_account_iam_binding" "firestore_sa_role" {
service_account_id = google_service_account.firestore_sa.name
role = "roles/datastore.owner"
members = ["serviceAccount:${google_service_account.firestore_sa.email}"]
}
我得到的错误是:
Error 400: Role roles/datastore.owner is not supported for this resource., badRequest
我可以使用 GCloud 轻松添加它:
gcloud projects add-iam-policy-binding MyProject-ABC123 \
--member serviceAccount:firestore_sa@myproject-abc123.iam.gserviceaccount.com \
--role roles/datastore.owner
我在两者之间进行翻译时遇到问题,需要一些帮助。
我明白了!
第一部分是 gcloud 命令隐藏了一些 Terraform 没有的东西——你需要所有这 3 个:
第二部分是我使用 google_service_account_iam_binding 而不是使用项目绑定。项目绑定是我真正需要的。所以我的最终配置看起来像:
resource "google_project_iam_binding" "firestore_sa_binding"
{
role = "roles/datastore.owner"
members = ["serviceAccount:${google_service_account.firestore_sa.email}"]
}
resource "google_project_iam_member" "firestore_sa_member" {
role = "roles/datastore.owner"
member = "serviceAccount:${google_service_account.firestore_sa.email}"
}
我在 Terraform 中创建了一个 Google 云服务帐户用户:
resource "google_service_account" "firestore_sa" {
account_id = "firestore_sa_${random_id.project-unique-id.hex}"
}
我想授予服务帐户所有者访问 Firestore 的权限,但没有成功:
resource "google_service_account_iam_binding" "firestore_sa_role" {
service_account_id = google_service_account.firestore_sa.name
role = "roles/datastore.owner"
members = ["serviceAccount:${google_service_account.firestore_sa.email}"]
}
我得到的错误是:
Error 400: Role roles/datastore.owner is not supported for this resource., badRequest
我可以使用 GCloud 轻松添加它:
gcloud projects add-iam-policy-binding MyProject-ABC123 \
--member serviceAccount:firestore_sa@myproject-abc123.iam.gserviceaccount.com \
--role roles/datastore.owner
我在两者之间进行翻译时遇到问题,需要一些帮助。
我明白了!
第一部分是 gcloud 命令隐藏了一些 Terraform 没有的东西——你需要所有这 3 个:
第二部分是我使用 google_service_account_iam_binding 而不是使用项目绑定。项目绑定是我真正需要的。所以我的最终配置看起来像:
resource "google_project_iam_binding" "firestore_sa_binding"
{
role = "roles/datastore.owner"
members = ["serviceAccount:${google_service_account.firestore_sa.email}"]
}
resource "google_project_iam_member" "firestore_sa_member" {
role = "roles/datastore.owner"
member = "serviceAccount:${google_service_account.firestore_sa.email}"
}