(Terraform, Cloud Run) Error: Forbidden Your client does not have permission to get URL / from this server

(Terraform, Cloud Run) Error: Forbidden Your client does not have permission to get URL / from this server

我正在尝试使用 Terraform[=29] 在 Cloud 运行 上 运行 docker 图像=] 代码如下:

provider "google" {
  credentials = file("myCredentials.json")
  project     = "myproject-214771"
  region      = "asia-northeast1"
}

resource "google_cloud_run_service" "default" {
  name     = "hello-world"
  location = "asia-northeast1"

  template {
    spec {
      containers {
        image = "gcr.io/myproject-214771/hello-world:latest"
      }
    }
  }

  traffic {
    percent         = 100
    latest_revision = true
  }
}

然后,成功运行 docker 图片:

但是当我访问 URL 时,它显示:

Error: Forbidden Your client does not have permission to get URL / from this server

我的 Terraform 代码有什么错误吗?

将下面的代码添加(复制并粘贴)到您的 Terraform 代码 以允许对 public API 或网站进行未经身份验证的调用:

data "google_iam_policy" "noauth" {
  binding {
    role = "roles/run.invoker"
    members = [
      "allUsers",
    ]
  }
}

resource "google_cloud_run_service_iam_policy" "noauth" {
  location    = google_cloud_run_service.default.location
  project     = google_cloud_run_service.default.project
  service     = google_cloud_run_service.default.name

  policy_data = data.google_iam_policy.noauth.policy_data
}

所以这是完整代码:

provider "google" {
  credentials = file("myCredentials.json")
  project     = "myproject-214771"
  region      = "asia-northeast1"
}

resource "google_cloud_run_service" "default" {
  name     = "hello-world"
  location = "asia-northeast1"

  template {
    spec {
      containers {
        image = "gcr.io/myproject-214771/hello-world:latest"
      }
    }
  }

  traffic {
    percent         = 100
    latest_revision = true
  }
}

data "google_iam_policy" "noauth" {
  binding {
    role = "roles/run.invoker"
    members = [
      "allUsers",
    ]
  }
}

resource "google_cloud_run_service_iam_policy" "noauth" {
  location    = google_cloud_run_service.default.location
  project     = google_cloud_run_service.default.project
  service     = google_cloud_run_service.default.name

  policy_data = data.google_iam_policy.noauth.policy_data
}

最后,您的 URL 正确显示了您的网站:

另外,现在"Authentication""Allow unauthenticated":

不要忘记将角色 "Cloud 运行 Admin" 添加到您的 服务帐户:

否则,您不能允许对 public API 或网站 进行未经身份验证的调用,然后您将收到以下错误消息:

Error setting IAM policy for cloudrun service "v1/projects/myproject-214771/locations/asia-northeast1/services/hello-world": googleapi: Error 403: Permission 'run.services.setIamPolicy' denied on resource 'projects/myproject-214771/locations/asia-northeast1/services/hello-world' (or resource may not exist).

此外,对于以下这些角色,您不能允许对 public API 或网站 :

进行未经身份验证的调用

只有角色 "Cloud 运行 Admin" 可以允许对 public API 或网站.