如何在设置为服务帐户的 GCP 计算虚拟机上安装监控代理?
How to install monitoring agent on GCP Compute VM that is set to a Service Account?
我将 GCP VM 设置为使用服务帐户,因此在控制台的 VM 实例详细信息中:
Service account
blarg@MYPROJECT.iam.gserviceaccount.com
当我运行安装监控代理的命令时,我看到了这个:
Updating project ssh metadata...failed.
Updating instance ssh metadata...failed.
ERROR: (gcloud.beta.compute.ssh) Could not add SSH key to instance metadata:
- Required 'compute.instances.setMetadata' permission for 'projects/MYPROJECT/zones/us-central1-a/instances/MYVM'
我在 实例(不是整个项目)上为服务帐户授予 Compute Admin 角色,然后重新 运行.结果更加混乱:
Updating project ssh metadata...failed.
Updating instance ssh metadata...failed.
ERROR: (gcloud.beta.compute.ssh) Could not add SSH key to instance metadata:
- The user does not have access to service account > 'blarg@MYPROJECT.iam.gserviceaccount.com'. User: 'blarg@MYPROJECT.iam.gserviceaccount.com'. Ask a project owner to grant you the iam.serviceAccountUser role on the service account
我是否真的在 服务帐户上 运行t iam.serviceAccountUser
角色 以便它可以使用自己?有没有其他方法可以 运行 脚本 作为我 而不是服务帐户,因为我是一个项目 admin/owner?
根据计算管理员角色的官方文档,这是正确的:
Full control of all Compute Engine resources.
If the user will be managing virtual machine instances that are
configured to run as a service account, you must also grant the
roles/iam.serviceAccountUser role.
我将 GCP VM 设置为使用服务帐户,因此在控制台的 VM 实例详细信息中:
Service account
blarg@MYPROJECT.iam.gserviceaccount.com
当我运行安装监控代理的命令时,我看到了这个:
Updating project ssh metadata...failed.
Updating instance ssh metadata...failed.
ERROR: (gcloud.beta.compute.ssh) Could not add SSH key to instance metadata:
- Required 'compute.instances.setMetadata' permission for 'projects/MYPROJECT/zones/us-central1-a/instances/MYVM'
我在 实例(不是整个项目)上为服务帐户授予 Compute Admin 角色,然后重新 运行.结果更加混乱:
Updating project ssh metadata...failed.
Updating instance ssh metadata...failed.
ERROR: (gcloud.beta.compute.ssh) Could not add SSH key to instance metadata:
- The user does not have access to service account > 'blarg@MYPROJECT.iam.gserviceaccount.com'. User: 'blarg@MYPROJECT.iam.gserviceaccount.com'. Ask a project owner to grant you the iam.serviceAccountUser role on the service account
我是否真的在 服务帐户上 运行t iam.serviceAccountUser
角色 以便它可以使用自己?有没有其他方法可以 运行 脚本 作为我 而不是服务帐户,因为我是一个项目 admin/owner?
根据计算管理员角色的官方文档,这是正确的:
Full control of all Compute Engine resources.
If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.