Terraform 为服务帐户设置 IAM 策略时抛出错误...需要权限 iam.serviceAccounts.setIamPolicy
Terraform throws Error setting IAM policy for service account ... Permission iam.serviceAccounts.setIamPolicy is required
我正在尝试使用 Terraform 在 GCP 上创建一个非常简单的结构:计算实例 + 存储桶。我对 GCP 文档、Terraform 文档和 SO 问题进行了一些研究,但仍然无法理解这里的诀窍。有一个 to use google_project_iam_binding, but reading thruogh some articles it seems to be dangerous (read: insecure solution). There's also a general answer with only GCP descriptions, nit using tf terms here, which is still a bit confusing. And also concluding the similar question ,我确认域名所有权已通过 Google 控制台验证。
所以,我得到了以下结果:
data "google_iam_policy" "admin" {
binding {
role = "roles/iam.serviceAccountUser"
members = [
"user:myemail@domain.name",
"serviceAccount:${google_service_account.serviceaccount.email}",
]
}
}
resource "google_service_account" "serviceaccount" {
account_id = "sa-1"
}
resource "google_service_account_iam_policy" "admin-acc-iam" {
service_account_id = google_service_account.serviceaccount.name
policy_data = data.google_iam_policy.admin.policy_data
}
resource "google_storage_bucket_iam_policy" "policy" {
bucket = google_storage_bucket.storage_bucket.name
policy_data = data.google_iam_policy.admin.policy_data
}
resource "google_compute_network" "vpc_network" {
name = "vpc-network"
auto_create_subnetworks = "true"
}
resource "google_compute_instance" "instance_1" {
name = "instance-1"
machine_type = "f1-micro"
boot_disk {
initialize_params {
image = "cos-cloud/cos-stable"
}
}
network_interface {
network = google_compute_network.vpc_network.self_link
access_config {
}
}
}
resource "google_storage_bucket" "storage_bucket" {
name = "bucket-1"
location = "US"
force_destroy = true
website {
main_page_suffix = "index.html"
not_found_page = "404.html"
}
cors {
origin = ["http://the.domain.name"]
method = ["GET", "HEAD", "PUT", "POST", "DELETE"]
response_header = ["*"]
max_age_seconds = 3600
}
}
但是如果我 terraform apply,日志会显示这样的错误
Error: Error setting IAM policy for service account 'trololo': googleapi: Error 403: Permission iam.serviceAccounts.setIamPolicy is required to perform this operation on service account trololo., forbidden
2020/09/28 19:19:34 [TRACE] statemgr.Filesystem: removing lock metadata file .terraform.tfstate.lock.info
on main.tf line 35, in resource "google_service_account_iam_policy" "admin-acc-iam":
35: resource "google_service_account_iam_policy" "admin-acc-iam" {
2020/09/28 19:19:34 [TRACE] statemgr.Filesystem: unlocking terraform.tfstate using fcntl flock
Error: googleapi: Error 403: The bucket you tried to create is a domain name owned by another user., forbidden
on main.tf line 82, in resource "google_storage_bucket" "storage_bucket":
和一些无用的调试信息。怎么了?哪个帐户缺少哪些权限以及如何安全地分配权限?
我发现了问题。一如既往,在 90% 的情况下,问题出在电脑前。
以下是帮助我理解和解决问题的步骤:
- 我又读了几篇文章,尤其是 this and this answer 对理解用户、服务帐户、权限之间的关系很有帮助
- 我知道做
terraform destroy 也很重要,因为没有回滚新基础架构更改的不成功部署(例如数据库迁移) - 因此您必须使用销毁或清理手动
- 完全删除了
"user:${var.admin_email}" 用户帐户 IAM 策略,因为它没用;一切都必须由新创建的服务帐户管理
- 因为 Terraform 使用了它的凭据,所以保留了大部分权限的主服务帐户(手动创建并下载访问密钥的帐户)
- 并将新服务帐户的 IAM 策略更改为
roles/iam.serviceAccountAdmin 而不是 User - 感谢@Wojtek_B 的提示
之后一切顺利!
我正在尝试使用 Terraform 在 GCP 上创建一个非常简单的结构:计算实例 + 存储桶。我对 GCP 文档、Terraform 文档和 SO 问题进行了一些研究,但仍然无法理解这里的诀窍。有一个 google_project_iam_binding, but reading thruogh some articles it seems to be dangerous (read: insecure solution). There's also a general answer with only GCP descriptions, nit using tf terms here, which is still a bit confusing. And also concluding the similar question
所以,我得到了以下结果:
data "google_iam_policy" "admin" {
binding {
role = "roles/iam.serviceAccountUser"
members = [
"user:myemail@domain.name",
"serviceAccount:${google_service_account.serviceaccount.email}",
]
}
}
resource "google_service_account" "serviceaccount" {
account_id = "sa-1"
}
resource "google_service_account_iam_policy" "admin-acc-iam" {
service_account_id = google_service_account.serviceaccount.name
policy_data = data.google_iam_policy.admin.policy_data
}
resource "google_storage_bucket_iam_policy" "policy" {
bucket = google_storage_bucket.storage_bucket.name
policy_data = data.google_iam_policy.admin.policy_data
}
resource "google_compute_network" "vpc_network" {
name = "vpc-network"
auto_create_subnetworks = "true"
}
resource "google_compute_instance" "instance_1" {
name = "instance-1"
machine_type = "f1-micro"
boot_disk {
initialize_params {
image = "cos-cloud/cos-stable"
}
}
network_interface {
network = google_compute_network.vpc_network.self_link
access_config {
}
}
}
resource "google_storage_bucket" "storage_bucket" {
name = "bucket-1"
location = "US"
force_destroy = true
website {
main_page_suffix = "index.html"
not_found_page = "404.html"
}
cors {
origin = ["http://the.domain.name"]
method = ["GET", "HEAD", "PUT", "POST", "DELETE"]
response_header = ["*"]
max_age_seconds = 3600
}
}
但是如果我 terraform apply,日志会显示这样的错误
Error: Error setting IAM policy for service account 'trololo': googleapi: Error 403: Permission iam.serviceAccounts.setIamPolicy is required to perform this operation on service account trololo., forbidden
2020/09/28 19:19:34 [TRACE] statemgr.Filesystem: removing lock metadata file .terraform.tfstate.lock.info
on main.tf line 35, in resource "google_service_account_iam_policy" "admin-acc-iam":
35: resource "google_service_account_iam_policy" "admin-acc-iam" {
2020/09/28 19:19:34 [TRACE] statemgr.Filesystem: unlocking terraform.tfstate using fcntl flock
Error: googleapi: Error 403: The bucket you tried to create is a domain name owned by another user., forbidden
on main.tf line 82, in resource "google_storage_bucket" "storage_bucket":
和一些无用的调试信息。怎么了?哪个帐户缺少哪些权限以及如何安全地分配权限?
我发现了问题。一如既往,在 90% 的情况下,问题出在电脑前。
以下是帮助我理解和解决问题的步骤:
- 我又读了几篇文章,尤其是 this and this answer 对理解用户、服务帐户、权限之间的关系很有帮助
- 我知道做
terraform destroy也很重要,因为没有回滚新基础架构更改的不成功部署(例如数据库迁移) - 因此您必须使用销毁或清理手动 - 完全删除了
"user:${var.admin_email}"用户帐户 IAM 策略,因为它没用;一切都必须由新创建的服务帐户管理 - 因为 Terraform 使用了它的凭据,所以保留了大部分权限的主服务帐户(手动创建并下载访问密钥的帐户)
- 并将新服务帐户的 IAM 策略更改为
roles/iam.serviceAccountAdmin而不是User- 感谢@Wojtek_B 的提示
之后一切顺利!