部署管理器无法更新存储桶名称
Deployment Manager Failed to Update Bucket Name
我使用的模板与示例 template 完全相同。
我首先使用存储桶名称 X:
部署模板
imports:
- path: templates/gcs_bucket/gcs_bucket.py
name: gcs_bucket.py
resources:
- name: X
type: gcs_bucket.py
properties:
name: X
location: us-east1
versioning:
enabled: True
labels:
env: development
gcloud deployment-manager deployments create s3-sample --config gcs_bucket.yaml
运行成功。
接下来,我尝试使用相同的模板进行部署,但将存储桶名称更改为:Y
imports:
- path: templates/gcs_bucket/gcs_bucket.py
name: gcs_bucket.py
resources:
- name: Y
type: gcs_bucket.py
properties:
name: Y
location: us-east1
versioning:
enabled: True
labels:
env: development
使用更新命令
gcloud deployment-manager deployments create s3-sample --config gcs_bucket.yaml
它失败了
Waiting for update [operation-1596317964460-5abd7bd3863a0-46f678bb-c6e8f7f7]...failed.
ERROR: (gcloud.deployment-manager.deployments.update) Error in Operation [operation-1596317964460-5abd7bd3863a0-46f678bb-c6e8f7f7]: errors:
- code: RESOURCE_ERROR
location: /deployments/s3-sample/resources/X
message: '{"ResourceType":"gcp-types/storage-v1:buckets","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"errors":[{"domain":"global","message":"XXX@cloudservices.gserviceaccount.com
does not have storage.buckets.get access to the Google Cloud Storage bucket.","reason":"forbidden"}],"message":"XXX@cloudservices.gserviceaccount.com
does not have storage.buckets.get access to the Google Cloud Storage bucket.","statusMessage":"Forbidden","requestPath":"https://storage.googleapis.com/storage/v1/b/X","httpMethod":"GET","suggestion":"Consider
granting permissions to XXX@cloudservices.gserviceaccount.com"}}'
但是Y桶创建成功,X桶没有删除?
我做错了什么?
删除X桶后再次尝试update命令,成功了
在云存储中,对象是不可变的,这意味着上传或创建的对象在其存储生命周期内无法更改。这意味着存储桶 无法重命名 .
Cloud Storage > Doc > Bucket naming guidelines > Bucket name requirements:
- A bucket name can only be assigned during creation. You cannot change the name of an existing bucket. Instead, you should create a new bucket with the desired name and move the contents from
the old bucket to the new bucket. See Moving and Renaming
Buckets for a
step-by-step guide.
Cloud Storage > Doc > Moving and renaming buckets:
When you create a bucket, you permanently define its name.
However, you can effectively move or rename your bucket:
- If there is no data in your old bucket, delete the bucket and create another bucket with a new name.
根据报错信息,第二次部署创建新bucket没有问题Y,但是对之前创建的bucket没有权限 X.
默认情况下,Deployment Manager 使用的 Google API 服务代理帐户被授予 Project Editor 角色:
CloudShell:$ gcloud projects get-iam-policy my-project --flatten="bindings[].members" --format='table(bindings.role)' --filter="bindings.members:111111111111@cloudservices.gserviceaccount.com"
ROLE
roles/editor
CloudShell:$ gcloud iam roles describe roles/editor | grep storage.buckets
- storage.buckets.create
- storage.buckets.delete
- storage.buckets.list
如您所见,Project Editor 角色包括对存储桶的 create 和 delete 权限,但不包括 get。这就是为什么第一次部署正常并创建一个新存储桶 X 的原因。但是第二次部署失败,因为它无法删除以前的存储桶X,而它成功地创建了新的存储桶Y。这也解释了为什么当您手动删除存储桶 X 时第二次部署成功。
要使其正常工作,您应该遵循 cloud-foundation-toolkit 上的文档。
GitHub > GoogleCloudPlatform / cloud-foundation-toolkit > Google Cloud Storage Bucket:
Prerequisites
- Grant the
storage.admin IAM role to the Deployment Manager service account
Storage Admin角色包括所有storage.buckets.*角色,包括get。
Cloud IAM > Doc > Understanding roles > Predefined roles > Cloud Storage roles:
我使用的模板与示例 template 完全相同。 我首先使用存储桶名称 X:
部署模板imports:
- path: templates/gcs_bucket/gcs_bucket.py
name: gcs_bucket.py
resources:
- name: X
type: gcs_bucket.py
properties:
name: X
location: us-east1
versioning:
enabled: True
labels:
env: development
gcloud deployment-manager deployments create s3-sample --config gcs_bucket.yaml
运行成功。
接下来,我尝试使用相同的模板进行部署,但将存储桶名称更改为:Y
imports:
- path: templates/gcs_bucket/gcs_bucket.py
name: gcs_bucket.py
resources:
- name: Y
type: gcs_bucket.py
properties:
name: Y
location: us-east1
versioning:
enabled: True
labels:
env: development
使用更新命令
gcloud deployment-manager deployments create s3-sample --config gcs_bucket.yaml
它失败了
Waiting for update [operation-1596317964460-5abd7bd3863a0-46f678bb-c6e8f7f7]...failed.
ERROR: (gcloud.deployment-manager.deployments.update) Error in Operation [operation-1596317964460-5abd7bd3863a0-46f678bb-c6e8f7f7]: errors:
- code: RESOURCE_ERROR
location: /deployments/s3-sample/resources/X
message: '{"ResourceType":"gcp-types/storage-v1:buckets","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"errors":[{"domain":"global","message":"XXX@cloudservices.gserviceaccount.com
does not have storage.buckets.get access to the Google Cloud Storage bucket.","reason":"forbidden"}],"message":"XXX@cloudservices.gserviceaccount.com
does not have storage.buckets.get access to the Google Cloud Storage bucket.","statusMessage":"Forbidden","requestPath":"https://storage.googleapis.com/storage/v1/b/X","httpMethod":"GET","suggestion":"Consider
granting permissions to XXX@cloudservices.gserviceaccount.com"}}'
但是Y桶创建成功,X桶没有删除? 我做错了什么? 删除X桶后再次尝试update命令,成功了
在云存储中,对象是不可变的,这意味着上传或创建的对象在其存储生命周期内无法更改。这意味着存储桶 无法重命名 .
Cloud Storage > Doc > Bucket naming guidelines > Bucket name requirements:
- A bucket name can only be assigned during creation. You cannot change the name of an existing bucket. Instead, you should create a new bucket with the desired name and move the contents from the old bucket to the new bucket. See Moving and Renaming Buckets for a step-by-step guide.
Cloud Storage > Doc > Moving and renaming buckets:
When you create a bucket, you permanently define its name. However, you can effectively move or rename your bucket:
- If there is no data in your old bucket, delete the bucket and create another bucket with a new name.
根据报错信息,第二次部署创建新bucket没有问题Y,但是对之前创建的bucket没有权限 X.
默认情况下,Deployment Manager 使用的 Google API 服务代理帐户被授予 Project Editor 角色:
CloudShell:$ gcloud projects get-iam-policy my-project --flatten="bindings[].members" --format='table(bindings.role)' --filter="bindings.members:111111111111@cloudservices.gserviceaccount.com"
ROLE
roles/editor
CloudShell:$ gcloud iam roles describe roles/editor | grep storage.buckets
- storage.buckets.create
- storage.buckets.delete
- storage.buckets.list
如您所见,Project Editor 角色包括对存储桶的 create 和 delete 权限,但不包括 get。这就是为什么第一次部署正常并创建一个新存储桶 X 的原因。但是第二次部署失败,因为它无法删除以前的存储桶X,而它成功地创建了新的存储桶Y。这也解释了为什么当您手动删除存储桶 X 时第二次部署成功。
要使其正常工作,您应该遵循 cloud-foundation-toolkit 上的文档。
GitHub > GoogleCloudPlatform / cloud-foundation-toolkit > Google Cloud Storage Bucket:
Prerequisites
- Grant the
storage.adminIAM role to the Deployment Manager service account
Storage Admin角色包括所有storage.buckets.*角色,包括get。
Cloud IAM > Doc > Understanding roles > Predefined roles > Cloud Storage roles: