无法使用 Terraform 资源 google_cloud_identity_group 创建 google 组
Unable to create google group with Terraform resource google_cloud_identity_group
以下资源用于使用地形 google-beta 和版本 3.36 创建 google 组:
resource "google_cloud_identity_group" "cloud_identity_group_basic" {
provider = google-beta
display_name = "aaa bbb"
parent = "customers/XXX"
group_key {
id = "aaa_bbb@evilcorp.com"
}
labels = {
"cloudidentity.googleapis.com/groups.discussion_forum" = ""
}
}
terraform plan 告诉我它将创建资源,但执行 apply 会导致错误 (Actor does not have permission to create group)。 terraform 服务帐户已经有很多权限,例如 Organization Administrator、Google Cloud Managed Identities Admin、Google Cloud Managed Identities Domain Admin、...
G Suite 全域委派也已尝试,但不确定这可能有什么帮助。
Terraform will perform the following actions:
# google_cloud_identity_group.cloud_identity_group_basic will be created
+ resource "google_cloud_identity_group" "cloud_identity_group_basic" {
+ create_time = (known after apply)
+ display_name = "aaa bbb"
+ id = (known after apply)
+ labels = {
+ "cloudidentity.googleapis.com/groups.discussion_forum" = ""
}
+ name = (known after apply)
+ parent = "customers/XXX"
+ update_time = (known after apply)
+ group_key {
+ id = "aaa_bbb@evilcorp.com"
}
}
Plan: 1 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
google_cloud_identity_group.cloud_identity_group_basic: Creating...
Error: Error creating Group: googleapi: Error 403: Error(2015): Actor does not have permission to create group 'aaa_bbb@evilcorp.com'.
Details:
[
{
"@type": "type.googleapis.com/google.rpc.ResourceInfo",
"description": "Error(2015): Actor does not have permission to create group 'aaa_bbb@evilcorp.com'.",
"owner": "domain:cloudidentity.googleapis.com",
"resourceType": "cloudidentity.googleapis.com/Group"
}
]
on groups.tf line 1, in resource "google_cloud_identity_group" "cloud_identity_group_basic":
1: resource "google_cloud_identity_group" "cloud_identity_group_basic" {
现在可以use service accounts with Google Groups APIs without domain-wide delegation。
请参阅:设置群组 API / Assigning an admin role to the service account。这使 terraform service-account 到 create/manage 组成为可能。
在 答案之上构建一点:
也可以通过 Admin Console.
其实我也没有找到别的办法,好像无法获取到默认云构建服务账号.[=16=的uniqueID ]
- 作为 Workspace 超级用户关注之前的 link。
- 单击 Groups Admin 角色。
- 单击 管理员 部分中的向下箭头
- 最后点击分配服务帐户,你可以粘贴
服务帐户电子邮件 (
<YOUR-PROJECT-ID>@cloudbuild.gserviceaccount.com)
这样做之后,实际上可以获得服务帐户uniqueID:只是运行 Try this API from the Directory API documentation with the roleId (you can get the roleId from the URL you are after point 2) and the customer id that you can obtain from the Account settings。
以下资源用于使用地形 google-beta 和版本 3.36 创建 google 组:
resource "google_cloud_identity_group" "cloud_identity_group_basic" {
provider = google-beta
display_name = "aaa bbb"
parent = "customers/XXX"
group_key {
id = "aaa_bbb@evilcorp.com"
}
labels = {
"cloudidentity.googleapis.com/groups.discussion_forum" = ""
}
}
terraform plan 告诉我它将创建资源,但执行 apply 会导致错误 (Actor does not have permission to create group)。 terraform 服务帐户已经有很多权限,例如 Organization Administrator、Google Cloud Managed Identities Admin、Google Cloud Managed Identities Domain Admin、...
G Suite 全域委派也已尝试,但不确定这可能有什么帮助。
Terraform will perform the following actions:
# google_cloud_identity_group.cloud_identity_group_basic will be created
+ resource "google_cloud_identity_group" "cloud_identity_group_basic" {
+ create_time = (known after apply)
+ display_name = "aaa bbb"
+ id = (known after apply)
+ labels = {
+ "cloudidentity.googleapis.com/groups.discussion_forum" = ""
}
+ name = (known after apply)
+ parent = "customers/XXX"
+ update_time = (known after apply)
+ group_key {
+ id = "aaa_bbb@evilcorp.com"
}
}
Plan: 1 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
google_cloud_identity_group.cloud_identity_group_basic: Creating...
Error: Error creating Group: googleapi: Error 403: Error(2015): Actor does not have permission to create group 'aaa_bbb@evilcorp.com'.
Details:
[
{
"@type": "type.googleapis.com/google.rpc.ResourceInfo",
"description": "Error(2015): Actor does not have permission to create group 'aaa_bbb@evilcorp.com'.",
"owner": "domain:cloudidentity.googleapis.com",
"resourceType": "cloudidentity.googleapis.com/Group"
}
]
on groups.tf line 1, in resource "google_cloud_identity_group" "cloud_identity_group_basic":
1: resource "google_cloud_identity_group" "cloud_identity_group_basic" {
现在可以use service accounts with Google Groups APIs without domain-wide delegation。
请参阅:设置群组 API / Assigning an admin role to the service account。这使 terraform service-account 到 create/manage 组成为可能。
在
也可以通过 Admin Console.
其实我也没有找到别的办法,好像无法获取到默认云构建服务账号.[=16=的uniqueID ]
- 作为 Workspace 超级用户关注之前的 link。
- 单击 Groups Admin 角色。
- 单击 管理员 部分中的向下箭头
- 最后点击分配服务帐户,你可以粘贴
服务帐户电子邮件 (
<YOUR-PROJECT-ID>@cloudbuild.gserviceaccount.com)
这样做之后,实际上可以获得服务帐户uniqueID:只是运行 Try this API from the Directory API documentation with the roleId (you can get the roleId from the URL you are after point 2) and the customer id that you can obtain from the Account settings。