使用 Terraform 部署云功能失败 - "Invalid function service account requested"
Deploying cloud function using terraform fails - "Invalid function service account requested"
我想部署一个 Google 云函数,我希望使用 terraform 来实现。我还希望创建一个服务帐户作为 运行 的非默认服务帐户,如 Function Identity > Per-function identity 中所述。该服务帐户的 ID 是 dataflowdemo.
我已经创建了一个服务帐户,希望用于 运行我的部署(与上一段中提到的服务帐户不同),该服务帐户的 ID 是 deployer:
export PROJECT=myproject
gcloud iam service-accounts create --project $PROJECT deployer
我下载了一个密钥文件,我可以按照 Terraform Google Provider > Adding credentials:
的指示在“$GOOGLE_APPLICATION_CREDENTIALS”中引用它
export GOOGLE_APPLICATION_CREDENTIALS=$(pwd)/deployer.json
gcloud iam service-accounts keys create \
--project $PROJECT \
--iam-account deployer@${PROJECT}.iam.gserviceaccount.com $GOOGLE_APPLICATION_CREDENTIALS
并授予它必要的权限
gcloud projects add-iam-policy-binding $PROJECT --member="serviceAccount:deployer@${PROJECT}.iam.gserviceaccount.com" --role="roles/storage.admin"
gcloud projects add-iam-policy-binding $PROJECT --member="serviceAccount:deployer@${PROJECT}.iam.gserviceaccount.com" --role="roles/cloudfunctions.admin"
gcloud projects add-iam-policy-binding $PROJECT --member="serviceAccount:deployer@${PROJECT}.iam.gserviceaccount.com" --role="roles/iam.serviceAccountAdmin"
gcloud projects add-iam-policy-binding $PROJECT --member="serviceAccount:deployer@${PROJECT}.iam.gserviceaccount.com" --role="roles/iam.roleAdmin"
terraform 代码相当简单,它创建 dataflowdemo 服务帐户并将该服务帐户指定为云功能的非默认服务帐户。代码位于 https://github.com/jamiekt/dataflowdemo/tree/6775ff7fd395320705a82ecb16f3fb054993ed57.
我运行 terraform 部署是这样的:
terraform init && terraform apply --auto-approve
随后失败并显示:
Error: googleapi: Error 400: Invalid function service account requested: serviceAccount:dataflowdemo@myproject.iam.gserviceaccount.com. Please visit https://cloud.google.com/functions/docs/troubleshooting for in-depth troubleshooting documentation., badRequest
我访问了错误消息中给出的 link,其中指出:
However, to use a non-default runtime service account, the deployer must have the iam.serviceAccounts.actAs permission on that non-default account. A user who creates a non-default runtime service account is automatically granted this permission
函数部署者(即 deployer 服务帐户)与创建该函数的帐户相同,因此我很困惑为什么会失败。
有人可以告诉我我哪里出错了,我需要做些什么来解决它吗?
在您的 functions.tf 文件中,您定义了这样的服务帐户
service_account_email = "serviceAccount:${google_service_account.sa.email}"
删除 serviceAccount: 前缀
service_account_email = "${google_service_account.sa.email}"
我想部署一个 Google 云函数,我希望使用 terraform 来实现。我还希望创建一个服务帐户作为 运行 的非默认服务帐户,如 Function Identity > Per-function identity 中所述。该服务帐户的 ID 是 dataflowdemo.
我已经创建了一个服务帐户,希望用于 运行我的部署(与上一段中提到的服务帐户不同),该服务帐户的 ID 是 deployer:
export PROJECT=myproject
gcloud iam service-accounts create --project $PROJECT deployer
我下载了一个密钥文件,我可以按照 Terraform Google Provider > Adding credentials:
的指示在“$GOOGLE_APPLICATION_CREDENTIALS”中引用它export GOOGLE_APPLICATION_CREDENTIALS=$(pwd)/deployer.json
gcloud iam service-accounts keys create \
--project $PROJECT \
--iam-account deployer@${PROJECT}.iam.gserviceaccount.com $GOOGLE_APPLICATION_CREDENTIALS
并授予它必要的权限
gcloud projects add-iam-policy-binding $PROJECT --member="serviceAccount:deployer@${PROJECT}.iam.gserviceaccount.com" --role="roles/storage.admin"
gcloud projects add-iam-policy-binding $PROJECT --member="serviceAccount:deployer@${PROJECT}.iam.gserviceaccount.com" --role="roles/cloudfunctions.admin"
gcloud projects add-iam-policy-binding $PROJECT --member="serviceAccount:deployer@${PROJECT}.iam.gserviceaccount.com" --role="roles/iam.serviceAccountAdmin"
gcloud projects add-iam-policy-binding $PROJECT --member="serviceAccount:deployer@${PROJECT}.iam.gserviceaccount.com" --role="roles/iam.roleAdmin"
terraform 代码相当简单,它创建 dataflowdemo 服务帐户并将该服务帐户指定为云功能的非默认服务帐户。代码位于 https://github.com/jamiekt/dataflowdemo/tree/6775ff7fd395320705a82ecb16f3fb054993ed57.
我运行 terraform 部署是这样的:
terraform init && terraform apply --auto-approve
随后失败并显示:
Error: googleapi: Error 400: Invalid function service account requested: serviceAccount:dataflowdemo@myproject.iam.gserviceaccount.com. Please visit https://cloud.google.com/functions/docs/troubleshooting for in-depth troubleshooting documentation., badRequest
我访问了错误消息中给出的 link,其中指出:
However, to use a non-default runtime service account, the deployer must have the iam.serviceAccounts.actAs permission on that non-default account. A user who creates a non-default runtime service account is automatically granted this permission
函数部署者(即 deployer 服务帐户)与创建该函数的帐户相同,因此我很困惑为什么会失败。
有人可以告诉我我哪里出错了,我需要做些什么来解决它吗?
在您的 functions.tf 文件中,您定义了这样的服务帐户
service_account_email = "serviceAccount:${google_service_account.sa.email}"
删除 serviceAccount: 前缀
service_account_email = "${google_service_account.sa.email}"