如何解决"googleapi: Error 403: The caller does not have permission, forbidden"
How to resolve "googleapi: Error 403: The caller does not have permission, forbidden"
我正在使用 Terraform 在 GCP 中构建基础设施。我正在尝试使用 terraform 将角色分配给 service account 但无法这样做。下面是我的代码:
sa.tf:
resource "google_service_account" "mojo-terra" {
account_id = "mojo-terra"
description = "Service account used for terraform script"
}
resource "google_project_iam_member" "mojo-roles" {
count = length(var.rolesList)
role = var.rolesList[count.index]
member = "serviceAccount:${google_service_account.mojo-terra.email}"
}
dev.tfvars:
rolesList = [
"roles/iam.serviceAccountUser"
]
cloudbuild 日志:
Step #2: Error: Error when reading or editing Resource "project \"poc-dev\"" with IAM Policy: Error retrieving IAM policy for project "poc-dev": googleapi: Error 403: The caller does not have permission, forbidden
Step #2:
Step #2:
Step #2:
Step #2: Error: Error when reading or editing Resource "project \"poc-dev\"" with IAM Member: Role "roles/iam.serviceAccountUser" Member "serviceAccount:asadsfs@poc-dev-1221.iam.gserviceaccount.com": Error retrieving IAM policy for project "poc-dev": googleapi: Error 403: The caller does not have permission, forbidden
Step #2:
以下是我 cloudbuild service account 的角色:
Custom Role cloudbuild, Cloud Build Service Account, Service Account Admin, Create Service Accounts, Delete Service Accounts, Service Account User, Storage Admin
向 Terraform 提供授权的服务帐户缺少权限 resourcemanager.projects.getIamPolicy,这是错误消息的来源。
服务帐户还缺少更改 IAM 策略所需的权限 resourcemanager.projects.setIamPolicy。
这些权限是角色 roles/resourcemanager.projectIamAdmin(项目 IAM 管理员)的一部分。
列出分配给服务帐户的角色:
gcloud projects get-iam-policy <YOUR GCLOUD PROJECT ID> \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:<YOUR SERVICE ACCOUNT>"
列出角色包含的权限:
gcloud iam roles describe roles/resourcemanager.projectIamAdmin
将所需角色添加到服务帐户:
gcloud projects add-iam-policy-binding <YOUR GCLOUD PROJECT ID> \
--member=serviceAccount:<YOUR SERVICE ACCOUNT> \
--role=roles/resourcemanager.projectIamAdmin
我正在使用 Terraform 在 GCP 中构建基础设施。我正在尝试使用 terraform 将角色分配给 service account 但无法这样做。下面是我的代码:
sa.tf:
resource "google_service_account" "mojo-terra" {
account_id = "mojo-terra"
description = "Service account used for terraform script"
}
resource "google_project_iam_member" "mojo-roles" {
count = length(var.rolesList)
role = var.rolesList[count.index]
member = "serviceAccount:${google_service_account.mojo-terra.email}"
}
dev.tfvars:
rolesList = [
"roles/iam.serviceAccountUser"
]
cloudbuild 日志:
Step #2: Error: Error when reading or editing Resource "project \"poc-dev\"" with IAM Policy: Error retrieving IAM policy for project "poc-dev": googleapi: Error 403: The caller does not have permission, forbidden
Step #2:
Step #2:
Step #2:
Step #2: Error: Error when reading or editing Resource "project \"poc-dev\"" with IAM Member: Role "roles/iam.serviceAccountUser" Member "serviceAccount:asadsfs@poc-dev-1221.iam.gserviceaccount.com": Error retrieving IAM policy for project "poc-dev": googleapi: Error 403: The caller does not have permission, forbidden
Step #2:
以下是我 cloudbuild service account 的角色:
Custom Role cloudbuild, Cloud Build Service Account, Service Account Admin, Create Service Accounts, Delete Service Accounts, Service Account User, Storage Admin
向 Terraform 提供授权的服务帐户缺少权限 resourcemanager.projects.getIamPolicy,这是错误消息的来源。
服务帐户还缺少更改 IAM 策略所需的权限 resourcemanager.projects.setIamPolicy。
这些权限是角色 roles/resourcemanager.projectIamAdmin(项目 IAM 管理员)的一部分。
列出分配给服务帐户的角色:
gcloud projects get-iam-policy <YOUR GCLOUD PROJECT ID> \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:<YOUR SERVICE ACCOUNT>"
列出角色包含的权限:
gcloud iam roles describe roles/resourcemanager.projectIamAdmin
将所需角色添加到服务帐户:
gcloud projects add-iam-policy-binding <YOUR GCLOUD PROJECT ID> \
--member=serviceAccount:<YOUR SERVICE ACCOUNT> \
--role=roles/resourcemanager.projectIamAdmin