gcloud构建Django网站提交结果报错"does not have storage.objects.get access"
gcloud builds submit of Django website results in error "does not have storage.objects.get access"
我正在尝试使用 Cloud 运行 部署我的 Django 网站,如 Google Cloud Platform's documentation 中所述,但在 运行 执行命令时出现错误 Error 403: 934957811880@cloudbuild.gserviceaccount.com does not have storage.objects.get access to the Google Cloud Storage object., forbidden gcloud builds submit --config cloudmigrate.yaml --substitutions _INSTANCE_NAME=trouwfeestwebsite-db,_REGION=europe-west6.
命令的完整输出是:(错误在底部)
Creating temporary tarball archive of 119 file(s) totalling 23.2 MiB before compression.
Some files were not included in the source upload.
Check the gcloud log [C:\Users\Sander\AppData\Roaming\gcloud\logs21.10.23.53.18.638301.log] t
o see which files and the contents of the
default gcloudignore file used (see `$ gcloud topic gcloudignore` to learn
more).
Uploading tarball of [.] to [gs://trouwfeestwebsite_cloudbuild/source/1635015198.74424-eca822c138ec
48878f292b9403f99e83.tgz]
ERROR: (gcloud.builds.submit) INVALID_ARGUMENT: could not resolve source: googleapi: Error 403: 934957811880@cloudbuild.gserviceaccount.com does not have storage.objects.get access to the Google Cloud Storage object., forbidden
在我的存储桶级别,我授予 934957811880@cloudbuild.gserviceaccount.com 存储对象查看器权限,正如我在 https://cloud.google.com/storage/docs/access-control/iam-roles 上看到的那样,这涵盖了 storage.objects.get 访问权限。
我还尝试授予 Storage Object Admin 和 Storage Admin。
我还在 IAM 级别添加了“查看者”角色(https://console.cloud.google.com/iam-admin/iam) for 934957811880@cloudbuild.gserviceaccount.com, as suggested in and https://github.com/google-github-actions/setup-gcloud/issues/105,但我觉得给帐户赋予如此广泛的角色似乎很可疑。
我在 Cloud Build 权限选项卡中启用了 Cloud 运行:https://console.cloud.google.com/cloud-build/settings/service-account?project=trouwfeestwebsite
进行这些更改后,运行使用 gcloud builds 提交命令时我仍然遇到相同的错误。
我不明白我在 credentials/authentication () 方面可能做错了什么。我没有更改 google 帐户密码,也没有撤销该帐户对 Google Cloud SDK 的权限,因为我初始化了该 SDK。
你看到我错过了什么了吗?
我的cloudmigrate.yaml的内容是:
steps:
- id: "build image"
name: "gcr.io/cloud-builders/docker"
args: ["build", "-t", "gcr.io/${PROJECT_ID}/${_SERVICE_NAME}", "."]
- id: "push image"
name: "gcr.io/cloud-builders/docker"
args: ["push", "gcr.io/${PROJECT_ID}/${_SERVICE_NAME}"]
- id: "apply migrations"
name: "gcr.io/google-appengine/exec-wrapper"
args:
[
"-i",
"gcr.io/$PROJECT_ID/${_SERVICE_NAME}",
"-s",
"${PROJECT_ID}:${_REGION}:${_INSTANCE_NAME}",
"-e",
"SETTINGS_NAME=${_SECRET_SETTINGS_NAME}",
"--",
"python",
"manage.py",
"migrate",
]
- id: "collect static"
name: "gcr.io/google-appengine/exec-wrapper"
args:
[
"-i",
"gcr.io/$PROJECT_ID/${_SERVICE_NAME}",
"-s",
"${PROJECT_ID}:${_REGION}:${_INSTANCE_NAME}",
"-e",
"SETTINGS_NAME=${_SECRET_SETTINGS_NAME}",
"--",
"python",
"manage.py",
"collectstatic",
"--verbosity",
"2",
"--no-input",
]
substitutions:
_INSTANCE_NAME: trouwfeestwebsite-db
_REGION: europe-west6
_SERVICE_NAME: invites-service
_SECRET_SETTINGS_NAME: django_settings
images:
- "gcr.io/${PROJECT_ID}/${_SERVICE_NAME}"
非常感谢您的帮助。
以下解决了我的问题。
DazWilkin 说得对:
it's incorrectly|unable to reference the bucket
(对此发表评论,谢谢!!)。在我的秘密中(在 Secret Manager 上配置;或者您可以将它放在项目根文件夹级别的 .env 文件中,并确保您不排除该文件以便部署在 .gcloudignore 文件中),我现在
已设置:
GS_BUCKET_NAME=trouwfeestwebsite_sasa-trouw-bucket(项目ID+下划线+存储桶ID)
而不是
GS_BUCKET_NAME=sasa-trouw-bucket
虽然教程实际上说我必须设置第一个,但我已经设置了后者,因为我发现下划线分割很奇怪,在教程的任何地方我都没有看到类似的东西,我认为这是教程中的错误.
适配 GS_BUCKET_NAME 更改了 gcloud 构建提交的错误:
Creating temporary tarball archive of 412 file(s) totalling 41.6 MiB before compression.
Uploading tarball of [.] to [gs://trouwfeestwebsite_cloudbuild/source/1635063996.982304-d33fef2af77a4744a3bb45f02da8476b.tgz]
ERROR: (gcloud.builds.submit) PERMISSION_DENIED: service account "934957811880@cloudbuild.gserviceaccount.com" has insufficient permission to execute the build on project "trouwfeestwebsite"
这意味着至少现在找到了存储桶,只是缺少权限。
编辑(几个小时后):我注意到这个 GS_BUCKET_NAME=trouwfeestwebsite_sasa-trouw-bucket(项目 ID + 下划线 + 存储桶 ID)设置然后在部署的后期阶段引起了麻烦,当部署静态文件时(最后cloudmigrate.yaml 的步骤)。这似乎对两者都有效(请注意项目 ID 不再在 GS_BUCKET_NAME 中,而是在其单独的环境变量中):
DATABASE_URL=postgres://myuser:mypassword@//cloudsql/mywebsite:europe-west6:mywebsite-db/mydb
GS_PROJECT_ID=trouwfeestwebsite
GS_BUCKET_NAME=sasa-trouw-bucket
SECRET_KEY=my123Very456Long789Secret0Key
然后,好像也真的是权限问题:
为了完整起见,之后,我尝试按照中的说明添加权限,但并没有阻止我在问题中报告的错误。
然而这个答案帮助了我:。 =>
在 cloudbuild 服务帐户上设置 Editor 角色有助于 gcloud builds submit 命令继续其进程而不会引发权限错误。
如果你有同样的问题:我认为我的问题中提到的一些事情也可以帮助你 - 例如我认为这样做可能也很重要:
I enabled Cloud run in the Cloud Build permissons tab:
https://console.cloud.google.com/cloud-build/settings/service-account?project=trouwfeestwebsite
我正在尝试使用 Cloud 运行 部署我的 Django 网站,如 Google Cloud Platform's documentation 中所述,但在 运行 执行命令时出现错误 Error 403: 934957811880@cloudbuild.gserviceaccount.com does not have storage.objects.get access to the Google Cloud Storage object., forbidden gcloud builds submit --config cloudmigrate.yaml --substitutions _INSTANCE_NAME=trouwfeestwebsite-db,_REGION=europe-west6.
命令的完整输出是:(错误在底部)
Creating temporary tarball archive of 119 file(s) totalling 23.2 MiB before compression.
Some files were not included in the source upload.
Check the gcloud log [C:\Users\Sander\AppData\Roaming\gcloud\logs21.10.23.53.18.638301.log] t
o see which files and the contents of the
default gcloudignore file used (see `$ gcloud topic gcloudignore` to learn
more).
Uploading tarball of [.] to [gs://trouwfeestwebsite_cloudbuild/source/1635015198.74424-eca822c138ec
48878f292b9403f99e83.tgz]
ERROR: (gcloud.builds.submit) INVALID_ARGUMENT: could not resolve source: googleapi: Error 403: 934957811880@cloudbuild.gserviceaccount.com does not have storage.objects.get access to the Google Cloud Storage object., forbidden
在我的存储桶级别,我授予 934957811880@cloudbuild.gserviceaccount.com 存储对象查看器权限,正如我在 https://cloud.google.com/storage/docs/access-control/iam-roles 上看到的那样,这涵盖了 storage.objects.get 访问权限。
我还尝试授予 Storage Object Admin 和 Storage Admin。
我还在 IAM 级别添加了“查看者”角色(https://console.cloud.google.com/iam-admin/iam) for 934957811880@cloudbuild.gserviceaccount.com, as suggested in
我在 Cloud Build 权限选项卡中启用了 Cloud 运行:https://console.cloud.google.com/cloud-build/settings/service-account?project=trouwfeestwebsite
进行这些更改后,运行使用 gcloud builds 提交命令时我仍然遇到相同的错误。
我不明白我在 credentials/authentication (
你看到我错过了什么了吗?
我的cloudmigrate.yaml的内容是:
steps:
- id: "build image"
name: "gcr.io/cloud-builders/docker"
args: ["build", "-t", "gcr.io/${PROJECT_ID}/${_SERVICE_NAME}", "."]
- id: "push image"
name: "gcr.io/cloud-builders/docker"
args: ["push", "gcr.io/${PROJECT_ID}/${_SERVICE_NAME}"]
- id: "apply migrations"
name: "gcr.io/google-appengine/exec-wrapper"
args:
[
"-i",
"gcr.io/$PROJECT_ID/${_SERVICE_NAME}",
"-s",
"${PROJECT_ID}:${_REGION}:${_INSTANCE_NAME}",
"-e",
"SETTINGS_NAME=${_SECRET_SETTINGS_NAME}",
"--",
"python",
"manage.py",
"migrate",
]
- id: "collect static"
name: "gcr.io/google-appengine/exec-wrapper"
args:
[
"-i",
"gcr.io/$PROJECT_ID/${_SERVICE_NAME}",
"-s",
"${PROJECT_ID}:${_REGION}:${_INSTANCE_NAME}",
"-e",
"SETTINGS_NAME=${_SECRET_SETTINGS_NAME}",
"--",
"python",
"manage.py",
"collectstatic",
"--verbosity",
"2",
"--no-input",
]
substitutions:
_INSTANCE_NAME: trouwfeestwebsite-db
_REGION: europe-west6
_SERVICE_NAME: invites-service
_SECRET_SETTINGS_NAME: django_settings
images:
- "gcr.io/${PROJECT_ID}/${_SERVICE_NAME}"
非常感谢您的帮助。
以下解决了我的问题。
DazWilkin 说得对:
it's incorrectly|unable to reference the bucket
(对此发表评论,谢谢!!)。在我的秘密中(在 Secret Manager 上配置;或者您可以将它放在项目根文件夹级别的 .env 文件中,并确保您不排除该文件以便部署在 .gcloudignore 文件中),我现在 已设置:
GS_BUCKET_NAME=trouwfeestwebsite_sasa-trouw-bucket(项目ID+下划线+存储桶ID)而不是
GS_BUCKET_NAME=sasa-trouw-bucket虽然教程实际上说我必须设置第一个,但我已经设置了后者,因为我发现下划线分割很奇怪,在教程的任何地方我都没有看到类似的东西,我认为这是教程中的错误.
适配
GS_BUCKET_NAME更改了 gcloud 构建提交的错误:Creating temporary tarball archive of 412 file(s) totalling 41.6 MiB before compression. Uploading tarball of [.] to [gs://trouwfeestwebsite_cloudbuild/source/1635063996.982304-d33fef2af77a4744a3bb45f02da8476b.tgz] ERROR: (gcloud.builds.submit) PERMISSION_DENIED: service account "934957811880@cloudbuild.gserviceaccount.com" has insufficient permission to execute the build on project "trouwfeestwebsite"这意味着至少现在找到了存储桶,只是缺少权限。
编辑(几个小时后):我注意到这个
GS_BUCKET_NAME=trouwfeestwebsite_sasa-trouw-bucket(项目 ID + 下划线 + 存储桶 ID)设置然后在部署的后期阶段引起了麻烦,当部署静态文件时(最后cloudmigrate.yaml 的步骤)。这似乎对两者都有效(请注意项目 ID 不再在 GS_BUCKET_NAME 中,而是在其单独的环境变量中):DATABASE_URL=postgres://myuser:mypassword@//cloudsql/mywebsite:europe-west6:mywebsite-db/mydb GS_PROJECT_ID=trouwfeestwebsite GS_BUCKET_NAME=sasa-trouw-bucket SECRET_KEY=my123Very456Long789Secret0Key然后,好像也真的是权限问题:
为了完整起见,之后,我尝试按照
然而这个答案帮助了我:
Editor角色有助于 gcloud builds submit 命令继续其进程而不会引发权限错误。
如果你有同样的问题:我认为我的问题中提到的一些事情也可以帮助你 - 例如我认为这样做可能也很重要:
I enabled Cloud run in the Cloud Build permissons tab: https://console.cloud.google.com/cloud-build/settings/service-account?project=trouwfeestwebsite