错误 403:在 Terraform 应用 JSON 密钥的所有者角色后需要 "container.clusters.create"
Error 403: Required "container.clusters.create" after Terraform apply with owner role of JSON key
我已经创建了一个 service account 并添加了一个具有所有者角色的 JSON 密钥,然后从 Chrome 下载。尝试使用 Terraform apply 创建 Google 集群,但出现此错误:2020/09/26 01:46:14 [ERROR] eval: *terraform.EvalApplyPost, err: googleapi: Error 403: Required "container.clusters.create" permission(s) for "projects/gitops-webinar"., forbidden
扩展日志:https://pastebin.com/05btUi9f
Terraform main.tf 文件
provider "google" {
credentials = file("~/gitops-project-290611-01b6aabd6093.json")
project = "gitops-webinar"
region = "us-central1-a"
}
$ ls -la gitops-project-290611-01b6aabd6093.json
-rw-r--r--@ 1 organic staff 2346 Sep 25 14:56 gitops-project-290611-01b6aabd6093.json
$ gcloud 项目 get-iam-policy gitops-project-290611 | pbcopy
bindings:
- members:
- deleted:serviceAccount:gitops-webinar-2@gitops-project-290611.iam.gserviceaccount.com?uid=112358266788784007511
- deleted:serviceAccount:gitops-webinar1@gitops-project-290611.iam.gserviceaccount.com?uid=113184308230946951276
role: roles/compute.admin
- members:
- serviceAccount:gitops-webinar@gitops-project-290611.iam.gserviceaccount.com
role: roles/compute.instanceAdmin
- members:
- serviceAccount:service-782490657309@compute-system.iam.gserviceaccount.com
role: roles/compute.serviceAgent
- members:
- deleted:serviceAccount:gitops-webinar-2@gitops-project-290611.iam.gserviceaccount.com?uid=112358266788784007511
- deleted:serviceAccount:gitops-webinar1@gitops-project-290611.iam.gserviceaccount.com?uid=113184308230946951276
- serviceAccount:gitops-webinar@gitops-project-290611.iam.gserviceaccount.com
role: roles/container.admin
- members:
- deleted:serviceAccount:gitops-webinar1@gitops-project-290611.iam.gserviceaccount.com?uid=113184308230946951276
role: roles/container.clusterAdmin
- members:
- serviceAccount:service-782490657309@container-engine-robot.iam.gserviceaccount.com
role: roles/container.serviceAgent
- members:
- serviceAccount:gitops-webinar@gitops-project-290611.iam.gserviceaccount.com
role: roles/containeranalysis.ServiceAgent
- members:
- serviceAccount:gitops-webinar@gitops-project-290611.iam.gserviceaccount.com
role: roles/containeranalysis.admin
- members:
- serviceAccount:service-782490657309@containerregistry.iam.gserviceaccount.com
role: roles/containerregistry.ServiceAgent
- members:
- serviceAccount:782490657309@cloudservices.gserviceaccount.com
- serviceAccount:gitops-webinar@gitops-project-290611.iam.gserviceaccount.com
role: roles/editor
- members:
- deleted:serviceAccount:gitops-webinar-2@gitops-project-290611.iam.gserviceaccount.com?uid=112358266788784007511
- serviceAccount:gitops-webinar@gitops-project-290611.iam.gserviceaccount.com
role: roles/iam.serviceAccountUser
- members:
- deleted:serviceAccount:gitops-webinar-2@gitops-project-290611.iam.gserviceaccount.com?uid=112358266788784007511
- serviceAccount:gitops-webinar@gitops-project-290611.iam.gserviceaccount.com
- deleted:serviceAccount:terraform@gitops-project-290611.iam.gserviceaccount.com?uid=115339463706838203610
- user:shuraisaeva2@gmail.com
role: roles/owner
- members:
- serviceAccount:service-782490657309@cloud-redis.iam.gserviceaccount.com
role: roles/redis.serviceAgent
- members:
- deleted:serviceAccount:gitops-webinar1@gitops-project-290611.iam.gserviceaccount.com?uid=113184308230946951276
role: roles/resourcemanager.organizationAdmin
- members:
- deleted:serviceAccount:gitops-webinar-2@gitops-project-290611.iam.gserviceaccount.com?uid=112358266788784007511
role: roles/resourcemanager.projectIamAdmin
- members:
- serviceAccount:gitops-webinar@gitops-project-290611.iam.gserviceaccount.com
role: roles/secretmanager.admin
- members:
- deleted:serviceAccount:gitops-webinar1@gitops-project-290611.iam.gserviceaccount.com?uid=113184308230946951276
role: roles/storage.admin
etag: BwWwOdndDu0=
version: 1
我想我找到了问题所在。您使用项目名称而不是项目 ID。试试这个
provider "google" {
credentials = file("~/gitops-project-290611-01b6aabd6093.json")
project = "gitops-project-290611"
region = "us-central1-a"
}
您还没有访问 gitops-webinar project_id
我已经创建了一个 service account 并添加了一个具有所有者角色的 JSON 密钥,然后从 Chrome 下载。尝试使用 Terraform apply 创建 Google 集群,但出现此错误:2020/09/26 01:46:14 [ERROR] eval: *terraform.EvalApplyPost, err: googleapi: Error 403: Required "container.clusters.create" permission(s) for "projects/gitops-webinar"., forbidden
扩展日志:https://pastebin.com/05btUi9f
Terraform main.tf 文件
provider "google" {
credentials = file("~/gitops-project-290611-01b6aabd6093.json")
project = "gitops-webinar"
region = "us-central1-a"
}
$ ls -la gitops-project-290611-01b6aabd6093.json
-rw-r--r--@ 1 organic staff 2346 Sep 25 14:56 gitops-project-290611-01b6aabd6093.json
$ gcloud 项目 get-iam-policy gitops-project-290611 | pbcopy
bindings:
- members:
- deleted:serviceAccount:gitops-webinar-2@gitops-project-290611.iam.gserviceaccount.com?uid=112358266788784007511
- deleted:serviceAccount:gitops-webinar1@gitops-project-290611.iam.gserviceaccount.com?uid=113184308230946951276
role: roles/compute.admin
- members:
- serviceAccount:gitops-webinar@gitops-project-290611.iam.gserviceaccount.com
role: roles/compute.instanceAdmin
- members:
- serviceAccount:service-782490657309@compute-system.iam.gserviceaccount.com
role: roles/compute.serviceAgent
- members:
- deleted:serviceAccount:gitops-webinar-2@gitops-project-290611.iam.gserviceaccount.com?uid=112358266788784007511
- deleted:serviceAccount:gitops-webinar1@gitops-project-290611.iam.gserviceaccount.com?uid=113184308230946951276
- serviceAccount:gitops-webinar@gitops-project-290611.iam.gserviceaccount.com
role: roles/container.admin
- members:
- deleted:serviceAccount:gitops-webinar1@gitops-project-290611.iam.gserviceaccount.com?uid=113184308230946951276
role: roles/container.clusterAdmin
- members:
- serviceAccount:service-782490657309@container-engine-robot.iam.gserviceaccount.com
role: roles/container.serviceAgent
- members:
- serviceAccount:gitops-webinar@gitops-project-290611.iam.gserviceaccount.com
role: roles/containeranalysis.ServiceAgent
- members:
- serviceAccount:gitops-webinar@gitops-project-290611.iam.gserviceaccount.com
role: roles/containeranalysis.admin
- members:
- serviceAccount:service-782490657309@containerregistry.iam.gserviceaccount.com
role: roles/containerregistry.ServiceAgent
- members:
- serviceAccount:782490657309@cloudservices.gserviceaccount.com
- serviceAccount:gitops-webinar@gitops-project-290611.iam.gserviceaccount.com
role: roles/editor
- members:
- deleted:serviceAccount:gitops-webinar-2@gitops-project-290611.iam.gserviceaccount.com?uid=112358266788784007511
- serviceAccount:gitops-webinar@gitops-project-290611.iam.gserviceaccount.com
role: roles/iam.serviceAccountUser
- members:
- deleted:serviceAccount:gitops-webinar-2@gitops-project-290611.iam.gserviceaccount.com?uid=112358266788784007511
- serviceAccount:gitops-webinar@gitops-project-290611.iam.gserviceaccount.com
- deleted:serviceAccount:terraform@gitops-project-290611.iam.gserviceaccount.com?uid=115339463706838203610
- user:shuraisaeva2@gmail.com
role: roles/owner
- members:
- serviceAccount:service-782490657309@cloud-redis.iam.gserviceaccount.com
role: roles/redis.serviceAgent
- members:
- deleted:serviceAccount:gitops-webinar1@gitops-project-290611.iam.gserviceaccount.com?uid=113184308230946951276
role: roles/resourcemanager.organizationAdmin
- members:
- deleted:serviceAccount:gitops-webinar-2@gitops-project-290611.iam.gserviceaccount.com?uid=112358266788784007511
role: roles/resourcemanager.projectIamAdmin
- members:
- serviceAccount:gitops-webinar@gitops-project-290611.iam.gserviceaccount.com
role: roles/secretmanager.admin
- members:
- deleted:serviceAccount:gitops-webinar1@gitops-project-290611.iam.gserviceaccount.com?uid=113184308230946951276
role: roles/storage.admin
etag: BwWwOdndDu0=
version: 1
我想我找到了问题所在。您使用项目名称而不是项目 ID。试试这个
provider "google" {
credentials = file("~/gitops-project-290611-01b6aabd6093.json")
project = "gitops-project-290611"
region = "us-central1-a"
}
您还没有访问 gitops-webinar project_id