服务帐号无法与另一个项目中的 GKE 集群交互
Service Account Unable to Interact with GKE Cluster in Another Project
来自一个 Google 云平台 (GCP) 项目 ($PROJECT_A) 的服务帐户 ($SERVICE_ACCOUNT_A) 无法 与之交互另一个 GCP 项目 ($PROJECT_B) 中的 Google Kubernetes Engine (GKE) 集群 ($GKE_CLUSTER_B);其中:
$PROJECT_A 是项目的名称 $SERVICE_ACCOUNT_A 生活在 $SERVICE_ACCOUNT_A 的形式是 some-name@some-project-name@.iam.gserviceaccount.com$PROJECT_B 是 $GKE_CLUSTER_B 集群所在的项目名称 $GKE_CLUSTER_B 是 GKE 集群名称,不是 上下文,格式为:some_cluster
$SERVICE_ACCOUNT_A 无法与 $GKE_CLUSTER_B 进行交互,尽管 拥有来自 $PROJECT_B 的角色,其中包含应该允许它这样做的权限。
即,首先我创建了一个 自定义 角色 $ROLE:
gcloud iam roles create $ROLE \
--description="$ROLE_DESCRIPTION" \
--permissions=container.clusters.get,container.clusters.list \
--project=$PROJECT_B \
--title='$ROLE_TITLE'
#=>
Created role [$ROLE].
description: $ROLE_DESCRIPTION
etag: . . .
includedPermissions:
- container.clusters.get
- container.clusters.list
name: projects/$PROJECT_B/roles/$ROLE
stage: . . .
title: $ROLE_TITLE
然后我将 $ROLE 从 $PROJECT_B 与 $SERVICE_ACCOUNT_A:
相关联
gcloud projects add-iam-policy-binding $PROJECT_B \
--member=serviceAccount:$SERVICE_ACCOUNT_A \
--role=projects/$PROJECT_B/roles/$ROLE
#=>
Updated IAM policy for project [$PROJECT_B].
auditConfigs:
. . .
我可以在 $SERVICE_ACCOUNT_A 下看到 $ROLE:
gcloud projects get-iam-policy $PROJECT_B \
--flatten='bindings[].members' \
--format='value(bindings.role)' \
--filter="bindings.members:${SERVICE_ACCOUNT_A}"
#=>
projects/$PROJECT_B/roles/$ROLE
具有适当的权限:
gcloud iam roles describe $ROLE \
--flatten='includedPermissions' \
--format='value(includedPermissions)' \
--project=$PROJECT_B
#=>
container.clusters.get
container.clusters.list
但仍然无法让 $SERVICE_ACCOUNT_A 与 $GKE_CLUSTER_B 互动。
为什么?
您需要为 $PROJECT_A 启用 Kubernetes Engine API(发现 here),即使 $PROJECT_A 没有或不需要 GKE 集群。
您可以通过为 $SERVICE_ACCOUNT_A 创建一个新的 JSON 密钥来确认这一点:
gcloud iam service-accounts keys create \
./some-key.json \
--iam-account="${SERVICE_ACCOUNT_A}" \
--key-file-type="json"
#=>
created key [$KEY_ID] of type [json] as [./some-key.json] for [$SERVICE_ACCOUNT_A]
激活服务帐户:
gcloud auth activate-service-account \
"${SERVICE_ACCOUNT_A}" \
--key-file=./some-key.json
#=>
Activated service account credentials for: [$SERVICE_ACCOUNT_A]
确认它是活动的:
cloud auth list
Credentialed Accounts
ACTIVE ACCOUNT
. . .
* $SERVICE_ACCOUNT_A
your@account.user
. . .
To set the active account, run:
$ gcloud config set account `ACCOUNT`
并尝试与 $GKE_CLUSTER_B 互动:
gcloud container clusters list --project=$PROJECT_B
#=>
ERROR: (gcloud.container.clusters.list) ResponseError: code=403, message=Kubernetes Engine API has not
been used in project $PROJECT_A_ID before or it is disabled. Enable it by visiting
https://console.developers.google.com/apis/api/container.googleapis.com/overview?project=$PROJECT_A_ID
then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our
systems and retry.
其中 $PROJECT_A_ID 是以下形式的数字 ID:xxxxxxxxxxxxx.
访问上面 403 返回的地址 (here) 并启用 Kubernetes Engine API。 $SERVICE_ACCOUNT_A 现在应该 能够与 $PROJECT_B 中的 GKE 集群交互:
gcloud container clusters list \
--project=$PROJECT_B \
--format='value(name)
#=>
. . .
some_cluster
. . .
包括$GKE_CLUSTER_B.
来自一个 Google 云平台 (GCP) 项目 ($PROJECT_A) 的服务帐户 ($SERVICE_ACCOUNT_A) 无法 与之交互另一个 GCP 项目 ($PROJECT_B) 中的 Google Kubernetes Engine (GKE) 集群 ($GKE_CLUSTER_B);其中:
$PROJECT_A是项目的名称$SERVICE_ACCOUNT_A生活在$SERVICE_ACCOUNT_A的形式是some-name@some-project-name@.iam.gserviceaccount.com$PROJECT_B是$GKE_CLUSTER_B集群所在的项目名称$GKE_CLUSTER_B是 GKE 集群名称,不是 上下文,格式为:some_cluster
$SERVICE_ACCOUNT_A 无法与 $GKE_CLUSTER_B 进行交互,尽管 拥有来自 $PROJECT_B 的角色,其中包含应该允许它这样做的权限。
即,首先我创建了一个 自定义 角色 $ROLE:
gcloud iam roles create $ROLE \
--description="$ROLE_DESCRIPTION" \
--permissions=container.clusters.get,container.clusters.list \
--project=$PROJECT_B \
--title='$ROLE_TITLE'
#=>
Created role [$ROLE].
description: $ROLE_DESCRIPTION
etag: . . .
includedPermissions:
- container.clusters.get
- container.clusters.list
name: projects/$PROJECT_B/roles/$ROLE
stage: . . .
title: $ROLE_TITLE
然后我将 $ROLE 从 $PROJECT_B 与 $SERVICE_ACCOUNT_A:
gcloud projects add-iam-policy-binding $PROJECT_B \
--member=serviceAccount:$SERVICE_ACCOUNT_A \
--role=projects/$PROJECT_B/roles/$ROLE
#=>
Updated IAM policy for project [$PROJECT_B].
auditConfigs:
. . .
我可以在 $SERVICE_ACCOUNT_A 下看到 $ROLE:
gcloud projects get-iam-policy $PROJECT_B \
--flatten='bindings[].members' \
--format='value(bindings.role)' \
--filter="bindings.members:${SERVICE_ACCOUNT_A}"
#=>
projects/$PROJECT_B/roles/$ROLE
具有适当的权限:
gcloud iam roles describe $ROLE \
--flatten='includedPermissions' \
--format='value(includedPermissions)' \
--project=$PROJECT_B
#=>
container.clusters.get
container.clusters.list
但仍然无法让 $SERVICE_ACCOUNT_A 与 $GKE_CLUSTER_B 互动。
为什么?
您需要为 $PROJECT_A 启用 Kubernetes Engine API(发现 here),即使 $PROJECT_A 没有或不需要 GKE 集群。
您可以通过为 $SERVICE_ACCOUNT_A 创建一个新的 JSON 密钥来确认这一点:
gcloud iam service-accounts keys create \
./some-key.json \
--iam-account="${SERVICE_ACCOUNT_A}" \
--key-file-type="json"
#=>
created key [$KEY_ID] of type [json] as [./some-key.json] for [$SERVICE_ACCOUNT_A]
激活服务帐户:
gcloud auth activate-service-account \
"${SERVICE_ACCOUNT_A}" \
--key-file=./some-key.json
#=>
Activated service account credentials for: [$SERVICE_ACCOUNT_A]
确认它是活动的:
cloud auth list
Credentialed Accounts
ACTIVE ACCOUNT
. . .
* $SERVICE_ACCOUNT_A
your@account.user
. . .
To set the active account, run:
$ gcloud config set account `ACCOUNT`
并尝试与 $GKE_CLUSTER_B 互动:
gcloud container clusters list --project=$PROJECT_B
#=>
ERROR: (gcloud.container.clusters.list) ResponseError: code=403, message=Kubernetes Engine API has not
been used in project $PROJECT_A_ID before or it is disabled. Enable it by visiting
https://console.developers.google.com/apis/api/container.googleapis.com/overview?project=$PROJECT_A_ID
then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our
systems and retry.
其中 $PROJECT_A_ID 是以下形式的数字 ID:xxxxxxxxxxxxx.
访问上面 403 返回的地址 (here) 并启用 Kubernetes Engine API。 $SERVICE_ACCOUNT_A 现在应该 能够与 $PROJECT_B 中的 GKE 集群交互:
gcloud container clusters list \
--project=$PROJECT_B \
--format='value(name)
#=>
. . .
some_cluster
. . .
包括$GKE_CLUSTER_B.