从 bitbucket 管道部署到云 运行 原因 google.api_core.exceptions.PermissionDenied:403 资源项目 None 权限被拒绝

Deploying to cloud run from bitbucket pipeline cause google.api_core.exceptions.PermissionDenied: 403 Permission denied on resource project None

我想在云上部署我的 django 应用程序 运行。我已经按照专门的教程学习了,还不错。
现在我想从我的 bitbucket 管道中部署它。 这是完成这项工作的行:

- export GOOGLE_APPLICATION_CREDENTIALS=/tmp/client-secret.json
- docker build . -t $IMAGE_NAME
- docker push $IMAGE_NAME
- gcloud run deploy devapi --image $IMAGE_NAME --platform managed --region europe-west1

这是我的错误的完整堆栈跟踪:

File "/app/manage.py", line 17, in execute_from_command_line(sys.argv) File "/usr/local/lib/python3.8/site-packages/django/core/management/init.py", line 419, in execute_from_command_line utility.execute() File "/usr/local/lib/python3.8/site-packages/django/core/management/init.py", line 363, in execute settings.INSTALLED_APPS File "/usr/local/lib/python3.8/site-packages/django/conf/init.py", line 82, in getattr self._setup(name) File "/usr/local/lib/python3.8/site-packages/django/conf/init.py", line 69, in _setup self._wrapped = Settings(settings_module) File "/usr/local/lib/python3.8/site-packages/django/conf/init.py", line 170, in init mod = importlib.import_module(self.SETTINGS_MODULE) File "/usr/local/lib/python3.8/importlib/init.py", line 127, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1014, in _gcd_import File "", line 991, in _find_and_load File "", line 975, in _find_and_load_unlocked File "", line 671, in _load_unlocked
File "", line 843, in exec_module File "", line 219, in _call_with_frames_removed File "/app/main/settings.py", line 40, in payload = client.access_secret_version(name=name).payload.data.decode("UTF-8")
File "/usr/local/lib/python3.8/site-packages/google/cloud/secretmanager_v1/services/secret_manager_service/client.py", line 1140, in access_secret_version response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,) File "/usr/local/lib/python3.8/site-packages/google/api_core/gapic_v1/method.py", line 145, in call return wrapped_func(*args, **kwargs) File "/usr/local/lib/python3.8/site-packages/google/api_core/retry.py", line 286, in retry_wrapped_func return retry_target( File "/usr/local/lib/python3.8/site-packages/google/api_core/retry.py", line 189, in retry_target return target() File "/usr/local/lib/python3.8/site-packages/google/api_core/grpc_helpers.py", line 69, in error_remapped_callable six.raise_from(exceptions.from_grpc_error(exc), exc) File "", line 3, in raise_from google.api_core.exceptions.PermissionDenied: 403 Permission denied on resource project None."

所以感觉问题出在这里:

payload = client.access_secret_version(name=name).payload.data.decode("UTF-8")

但是当我记录名称时,我得到了预期的值。

为什么说我的项目是None?我该如何设置?

我试过像这样部署将项目添加到命令行:

gcloud run deploy devapi --image $IMAGE_NAME --platform managed --region europe-west1 --project myproject

同样的结果...

我尝试按如下方式更换我的管道:

- export GOOGLE_APPLICATION_CREDENTIALS=/tmp/client-secret.json
- gcloud builds submit --config cloudbuild.yaml
- gcloud run deploy devapi --image $IMAGE_NAME --platform managed --region europe-west1 --project my-project

这是我的云构建:

steps:
  - id: "build image"
    name: "gcr.io/cloud-builders/docker"
    args: ["build", "-t", "gcr.io/${_PROJECT_ID}/${_SERVICE_NAME}", "."]

  - id: "push image"
    name: "gcr.io/cloud-builders/docker"
    args: ["push", "gcr.io/${_PROJECT_ID}/${_SERVICE_NAME}"]

  - id: "apply migrations"
    name: "gcr.io/google-appengine/exec-wrapper"
    args:
      [
        "-i",
        "gcr.io/${_PROJECT_ID}/${_SERVICE_NAME}",
        "-s",
        "${_PROJECT_ID}:${_REGION}:${_INSTANCE_NAME}",
        "-e",
        "SETTINGS_NAME=${_SECRET_SETTINGS_NAME}",
        "--",
        "python",
        "manage.py",
        "migrate",
      ]

  - id: "collect static"
    name: "gcr.io/google-appengine/exec-wrapper"
    args:
      [
        "-i",
        "gcr.io/${_PROJECT_ID}/${_SERVICE_NAME}",
        "-s",
        "${_PROJECT_ID}:${_REGION}:${_INSTANCE_NAME}",
        "-e",
        "SETTINGS_NAME=${_SECRET_SETTINGS_NAME}",
        "--",
        "python",
        "manage.py",
        "collectstatic",
        "--verbosity",
        "2",
        "--no-input",
      ]

substitutions:
  _INSTANCE_NAME: my-sql_instance
  _REGION: europe-west1
  _SERVICE_NAME: my_img_name
  _SECRET_SETTINGS_NAME:my_secret_name
  _PROJECT_ID: my_project
  _TAG: latest

images:
  - "gcr.io/${_PROJECT_ID}/${_SERVICE_NAME}:${_TAG}"

结果还是一样

需要确认的一件事是您是否在名称变量中使用了正确的值。在两个具有正确值的 issues, users received the same error by passing the project name instead of the project ID. You should make sure that the name variable is constructed in one of the following ways 中:

projects/{project_id}/secrets/{secret_id}/versions/{version_id} projects/{project_id}/secrets/{secret_id}/versions/latest

另外要确认的是你是否有 required permissions to access secrets in your service accounts. A relevant permission for this case would be roles/secretmanager.secretAccessor to access secret payload. This could also be a cause of this error. Finally, here is the access_secret_version API documentation.

所以这是由于对 bitbucket 管道工作的误解。我以为在其中导出我的变量可以使它在我的容器中可用,但事实并非如此。

我直接将我的环境变量设置到我的云 运行 中,这解决了问题