Appengine gcloud 部署使用自定义服务帐户
Appengine gcloud deploy using custom service account
我想部署一个 API 到 App Engine 但它最终使用了错误的服务帐户。
我在 gitlab 中使用了这 3 行命令:
- gcloud auth activate-service-account --key-file /tmp/$CI_PIPELINE_ID.json
- gcloud config set account NameOfServiceAccount.com
- gcloud app deploy
我得到的是
target service account: [App Engine default service account]
Do you want to continue (Y/n)?
Beginning deployment of service [lettering-back]...
╔════════════════════════════════════════════════════════════╗
╠═ Uploading 2 files to Google Cloud Storage ═╣
╚════════════════════════════════════════════════════════════╝
File upload done.
ERROR: (gcloud.app.deploy) PERMISSION_DENIED: You do not have permission to act as
To deploy new versions, a member must have the Service Account User
(roles/iam.serviceAccountUser) role on the App Engine default service
account, and the Cloud Build Editor (roles/cloudbuild.builds.editor)
and Cloud Storage Object Admin (roles/storage.objectAdmin) roles on
the project.
更具体地说,对于您的错误消息,您的服务帐户需要 roles/iam.serviceAccountUser,其密钥是您放置在 /tmp/$CI_PIPELINE_ID.json
的密钥
参考:第 table 行位于 https://cloud.google.com/appengine/docs/standard/python/roles#predefined_roles
我想部署一个 API 到 App Engine 但它最终使用了错误的服务帐户。 我在 gitlab 中使用了这 3 行命令:
- gcloud auth activate-service-account --key-file /tmp/$CI_PIPELINE_ID.json
- gcloud config set account NameOfServiceAccount.com
- gcloud app deploy
我得到的是
target service account: [App Engine default service account]
Do you want to continue (Y/n)?
Beginning deployment of service [lettering-back]...
╔════════════════════════════════════════════════════════════╗
╠═ Uploading 2 files to Google Cloud Storage ═╣
╚════════════════════════════════════════════════════════════╝
File upload done.
ERROR: (gcloud.app.deploy) PERMISSION_DENIED: You do not have permission to act as
To deploy new versions, a member must have the Service Account User (roles/iam.serviceAccountUser) role on the App Engine default service account, and the Cloud Build Editor (roles/cloudbuild.builds.editor) and Cloud Storage Object Admin (roles/storage.objectAdmin) roles on the project.
更具体地说,对于您的错误消息,您的服务帐户需要 roles/iam.serviceAccountUser,其密钥是您放置在 /tmp/$CI_PIPELINE_ID.json
参考:第 table 行位于 https://cloud.google.com/appengine/docs/standard/python/roles#predefined_roles