gcp google_project_iam_member 在 terraform 上给出无效参数消息
gcp google_project_iam_member gives invalid argument message on terraform
我正在使用 Terraform 部署以下内容
resource "google_project_iam_custom_role" "brw-user-function-item-registered-role" {
role_id = "brw_user_function_item_registered_role"
title = "brw-user-function-item-registered-role"
description = "Role used by the brw-user-function item-registered"
permissions = [
"storage.objects.create",
"storage.objects.get",
"storage.objects.list"
]
}
resource "google_service_account" "brw-user-function-item-registered-service-account" {
account_id = "brw-user-function-item-reg-svc"
display_name = "brw-user-function-item-registered-service_account"
}
resource "google_project_iam_member" "brw-user-function-item-registered-service-account-binding" {
project = local.project
role = "roles/${google_project_iam_custom_role.brw-user-function-item-registered-role.role_id}"
member = "serviceAccount:${google_service_account.brw-user-function-item-registered-service-account.email}"
depends_on = [
google_project_iam_custom_role.brw-user-function-item-registered-role,
google_service_account.brw-user-function-item-registered-service-account
]
}
然而,当我尝试通过 terraform 部署它时,出现以下错误
Request "Create IAM Members roles/brw_user_function_item_registered_role serviceAccount:brw-user-function-item-reg-svc@brw-user.iam.gserviceaccount.com for \"project \\"BRW-User\\"\"" returned error: Error retrieving IAM policy for project "BRW-User": googleapi: Error 400: Request contains an invalid argument., badRequest
我不确定这里有什么问题,我添加了 depends_on 只是为了确保它以正确的顺序创建。 member 属性可能是错误的,我也尝试提供 account_id,但我仍然得到同样的错误。
在资源 google_project_iam_member 中,如果您要传递自定义角色,则它必须采用以下格式:
[projects|organizations]/{parent-name}/roles/{role-name}
这是一个例子:
resource "google_project_iam_member" "access" {
project = var.project_name
role = "projects/${var.project_name}/roles/${google_project_iam_custom_role.customer_access.role_id}"
member = "serviceAccount:${google_service_account.service_account.email}"
}
此外,作为最佳做法,请避免在资源名称中使用破折号(最好是下划线)并且尽量不要让它太长。我 运行 遇到过长名字的问题。
只有预定义角色的名称前面有字符串 roles/。
您正在使用字符串:
role = "roles/${google_project_iam_custom_role.brw-user-function-item-registered-role.role_id}"
改为:
role = google_project_iam_custom_role.brw-user-function-item-registered-role.name
注意删除 roles/,将 role_id 更改为 name , 并删除字符串插值。
我正在使用 Terraform 部署以下内容
resource "google_project_iam_custom_role" "brw-user-function-item-registered-role" {
role_id = "brw_user_function_item_registered_role"
title = "brw-user-function-item-registered-role"
description = "Role used by the brw-user-function item-registered"
permissions = [
"storage.objects.create",
"storage.objects.get",
"storage.objects.list"
]
}
resource "google_service_account" "brw-user-function-item-registered-service-account" {
account_id = "brw-user-function-item-reg-svc"
display_name = "brw-user-function-item-registered-service_account"
}
resource "google_project_iam_member" "brw-user-function-item-registered-service-account-binding" {
project = local.project
role = "roles/${google_project_iam_custom_role.brw-user-function-item-registered-role.role_id}"
member = "serviceAccount:${google_service_account.brw-user-function-item-registered-service-account.email}"
depends_on = [
google_project_iam_custom_role.brw-user-function-item-registered-role,
google_service_account.brw-user-function-item-registered-service-account
]
}
然而,当我尝试通过 terraform 部署它时,出现以下错误
Request "Create IAM Members roles/brw_user_function_item_registered_role serviceAccount:brw-user-function-item-reg-svc@brw-user.iam.gserviceaccount.com for \"project \\"BRW-User\\"\"" returned error: Error retrieving IAM policy for project "BRW-User": googleapi: Error 400: Request contains an invalid argument., badRequest
我不确定这里有什么问题,我添加了 depends_on 只是为了确保它以正确的顺序创建。 member 属性可能是错误的,我也尝试提供 account_id,但我仍然得到同样的错误。
在资源 google_project_iam_member 中,如果您要传递自定义角色,则它必须采用以下格式:
[projects|organizations]/{parent-name}/roles/{role-name}
这是一个例子:
resource "google_project_iam_member" "access" {
project = var.project_name
role = "projects/${var.project_name}/roles/${google_project_iam_custom_role.customer_access.role_id}"
member = "serviceAccount:${google_service_account.service_account.email}"
}
此外,作为最佳做法,请避免在资源名称中使用破折号(最好是下划线)并且尽量不要让它太长。我 运行 遇到过长名字的问题。
只有预定义角色的名称前面有字符串 roles/。
您正在使用字符串:
role = "roles/${google_project_iam_custom_role.brw-user-function-item-registered-role.role_id}"
改为:
role = google_project_iam_custom_role.brw-user-function-item-registered-role.name
注意删除 roles/,将 role_id 更改为 name , 并删除字符串插值。