如何使用云构建在 google 云上部署云 运行 和云 sql?
How to use cloud build to deploy cloud run with cloud sql on google cloud?
我的 cloudbuild.yaml 文件
(我构建了一个 docker 图像并将其推送到 gcr)
此应用程序在云 SQL 上使用 mysql。所以需要连接到它。
steps:
- id: cloud-run
name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
entrypoint: gcloud
args:
- 'run'
- 'deploy'
- 'my-service'
- '--image'
- 'asia.gcr.io/$_PROJECT_ID/my-service:$_COMMIT_SHA'
- '--region'
- 'asia-northeast1'
- '--platform'
- 'managed'
- '--service-account'
- '$_CLOUD_RUN_PUBSUB_INVOKER'
- '--add-cloudsql-instances'
- '$_MYSQL_MAIN_INSTANCE_NAME'
- '--set-env-vars'
- 'MYSQL_MAIN_CONNECTIONS=$_MYSQL_MAIN_CONNECTIONS'
- '--set-env-vars'
- 'MYSQL_MAIN_INSTANCE_NAME=$_MYSQL_MAIN_INSTANCE_NAME'
- '--set-env-vars'
- 'MYSQL_MAIN_DB=$_MYSQL_MAIN_DB'
- '--set-env-vars'
- 'MYSQL_MAIN_USER=$_MYSQL_MAIN_USER'
- '--set-env-vars'
- 'MYSQL_MAIN_PASSWORD_SECRET_ID=$_MYSQL_MAIN_PASSWORD_SECRET_ID'
- '--set-env-vars'
当运行构建提交时,出现云SQLAPI未激活错误
$ gcloud builds submit
Creating temporary tarball archive of 5 file(s) totalling 47.4 KiB before compression.
Uploading tarball of [.] to [gs://my-project_cloudbuild/source/1610067564.911628-8d7f3de581ca4b8faa57bd5a8ea75ef1.tgz]
Created [https://cloudbuild.googleapis.com/v1/projects/my-project/locations/global/builds/b4e1bf9c-bc06-4ce8-b252-3b34f164719d].
Logs are available at [https://console.cloud.google.com/cloud-build/builds/b4e1bf9c-bc06-4ce8-b252-3b34f164719d?project=421686839359].
---------------------------------------------------------------------------------------------- REMOTE BUILD OUTPUT -----------------------------------------------------------------------------------------------
starting build "b4e1bf9c-bc06-4ce8-b252-3b34f164719d"
FETCHSOURCE
Fetching storage object: gs://my-project_cloudbuild/source/1610067564.911628-8d7f3de581ca4b8faa57bd5a8ea75ef1.tgz#1610067566084932
Copying gs://my-project_cloudbuild/source/1610067564.911628-8d7f3de581ca4b8faa57bd5a8ea75ef1.tgz#1610067566084932...
/ [1 files][ 17.1 KiB/ 17.1 KiB]
Operation completed over 1 objects/17.1 KiB.
BUILD
Pulling image: gcr.io/google.com/cloudsdktool/cloud-sdk
Using default tag: latest
latest: Pulling from google.com/cloudsdktool/cloud-sdk
6c33745f49b4: Already exists
...
ffa0764d79dc: Pull complete
Digest: sha256:3f32cb39cdfe8902bc85e31111a9f1bc7cbd9d37f31c6164f2b41cfdaa66284f
Status: Downloaded newer image for gcr.io/google.com/cloudsdktool/cloud-sdk:latest
gcr.io/google.com/cloudsdktool/cloud-sdk:latest
Skipped validating Cloud SQL API and Cloud SQL Admin API enablement due to an issue contacting the Service Usage API. Please ensure the Cloud SQL API and Cloud SQL Admin API are activated (see https://console.cloud.google.com/apis/dashboard).
ERROR: (gcloud.run.deploy) PERMISSION_DENIED: The caller does not have permission
ERROR
ERROR: build step 0 "gcr.io/google.com/cloudsdktool/cloud-sdk" failed: step exited with non-zero status: 1
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ERROR: (gcloud.builds.submit) build b4e1bf9c-bc06-4ce8-b252-3b34f164719d completed with status "FAILURE"
我检查了仪表板 https://console.cloud.google.com/apis/dashboard,两个 Cloud SQL API and Cloud SQL Admin API 都已激活。
我也运行权限设置https://cloud.google.com/cloud-build/docs/deploying-builds/deploy-cloud-run#continuous-iam
gcloud iam service-accounts add-iam-policy-binding \
PROJECT_NUMBER-compute@developer.gserviceaccount.com \
--member="serviceAccount:PROJECT_NUMBER@cloudbuild.gserviceaccount.com" \
--role="roles/iam.serviceAccountUser"
但是还是一样的错误
好像是关于IAM权限的错误。
PERMISSION_DENIED: The caller does not have permission
您还需要遵循此 document 中所需的 IAM 权限步骤:
To deploy to Cloud Run (fully managed) grant the Cloud Run Admin and Service Account User roles to the Cloud Build service account:
In the Cloud Console, go to the Cloud Build Settings page:
Open the Settings page
In the Service account permissions panel, set the status of the Cloud Run Admin role to ENABLED:
In the Additional steps may be required pop-up, you click Skip or click GRANT ACCESS TO ALL SERVICE ACCOUNTS.
我的 cloudbuild.yaml 文件 (我构建了一个 docker 图像并将其推送到 gcr)
此应用程序在云 SQL 上使用 mysql。所以需要连接到它。
steps:
- id: cloud-run
name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
entrypoint: gcloud
args:
- 'run'
- 'deploy'
- 'my-service'
- '--image'
- 'asia.gcr.io/$_PROJECT_ID/my-service:$_COMMIT_SHA'
- '--region'
- 'asia-northeast1'
- '--platform'
- 'managed'
- '--service-account'
- '$_CLOUD_RUN_PUBSUB_INVOKER'
- '--add-cloudsql-instances'
- '$_MYSQL_MAIN_INSTANCE_NAME'
- '--set-env-vars'
- 'MYSQL_MAIN_CONNECTIONS=$_MYSQL_MAIN_CONNECTIONS'
- '--set-env-vars'
- 'MYSQL_MAIN_INSTANCE_NAME=$_MYSQL_MAIN_INSTANCE_NAME'
- '--set-env-vars'
- 'MYSQL_MAIN_DB=$_MYSQL_MAIN_DB'
- '--set-env-vars'
- 'MYSQL_MAIN_USER=$_MYSQL_MAIN_USER'
- '--set-env-vars'
- 'MYSQL_MAIN_PASSWORD_SECRET_ID=$_MYSQL_MAIN_PASSWORD_SECRET_ID'
- '--set-env-vars'
当运行构建提交时,出现云SQLAPI未激活错误
$ gcloud builds submit
Creating temporary tarball archive of 5 file(s) totalling 47.4 KiB before compression.
Uploading tarball of [.] to [gs://my-project_cloudbuild/source/1610067564.911628-8d7f3de581ca4b8faa57bd5a8ea75ef1.tgz]
Created [https://cloudbuild.googleapis.com/v1/projects/my-project/locations/global/builds/b4e1bf9c-bc06-4ce8-b252-3b34f164719d].
Logs are available at [https://console.cloud.google.com/cloud-build/builds/b4e1bf9c-bc06-4ce8-b252-3b34f164719d?project=421686839359].
---------------------------------------------------------------------------------------------- REMOTE BUILD OUTPUT -----------------------------------------------------------------------------------------------
starting build "b4e1bf9c-bc06-4ce8-b252-3b34f164719d"
FETCHSOURCE
Fetching storage object: gs://my-project_cloudbuild/source/1610067564.911628-8d7f3de581ca4b8faa57bd5a8ea75ef1.tgz#1610067566084932
Copying gs://my-project_cloudbuild/source/1610067564.911628-8d7f3de581ca4b8faa57bd5a8ea75ef1.tgz#1610067566084932...
/ [1 files][ 17.1 KiB/ 17.1 KiB]
Operation completed over 1 objects/17.1 KiB.
BUILD
Pulling image: gcr.io/google.com/cloudsdktool/cloud-sdk
Using default tag: latest
latest: Pulling from google.com/cloudsdktool/cloud-sdk
6c33745f49b4: Already exists
...
ffa0764d79dc: Pull complete
Digest: sha256:3f32cb39cdfe8902bc85e31111a9f1bc7cbd9d37f31c6164f2b41cfdaa66284f
Status: Downloaded newer image for gcr.io/google.com/cloudsdktool/cloud-sdk:latest
gcr.io/google.com/cloudsdktool/cloud-sdk:latest
Skipped validating Cloud SQL API and Cloud SQL Admin API enablement due to an issue contacting the Service Usage API. Please ensure the Cloud SQL API and Cloud SQL Admin API are activated (see https://console.cloud.google.com/apis/dashboard).
ERROR: (gcloud.run.deploy) PERMISSION_DENIED: The caller does not have permission
ERROR
ERROR: build step 0 "gcr.io/google.com/cloudsdktool/cloud-sdk" failed: step exited with non-zero status: 1
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ERROR: (gcloud.builds.submit) build b4e1bf9c-bc06-4ce8-b252-3b34f164719d completed with status "FAILURE"
我检查了仪表板 https://console.cloud.google.com/apis/dashboard,两个 Cloud SQL API and Cloud SQL Admin API 都已激活。
我也运行权限设置https://cloud.google.com/cloud-build/docs/deploying-builds/deploy-cloud-run#continuous-iam
gcloud iam service-accounts add-iam-policy-binding \
PROJECT_NUMBER-compute@developer.gserviceaccount.com \
--member="serviceAccount:PROJECT_NUMBER@cloudbuild.gserviceaccount.com" \
--role="roles/iam.serviceAccountUser"
但是还是一样的错误
好像是关于IAM权限的错误。
PERMISSION_DENIED: The caller does not have permission
您还需要遵循此 document 中所需的 IAM 权限步骤:
To deploy to Cloud Run (fully managed) grant the Cloud Run Admin and Service Account User roles to the Cloud Build service account:
In the Cloud Console, go to the Cloud Build Settings page:
Open the Settings page
In the Service account permissions panel, set the status of the Cloud Run Admin role to ENABLED:
In the Additional steps may be required pop-up, you click Skip or click GRANT ACCESS TO ALL SERVICE ACCOUNTS.