错误 403:尝试通过 Terraform 设置共享 VPC 时需要项目的 'compute.organizations.enableXpnHost' 权限
Error 403: Required 'compute.organizations.enableXpnHost' permission for project when trying to set up shared VPC via terraform
我正在尝试使用 terraform 设置共享 VPC 宿主项目,我得到了
│ Error: Error enabling Shared VPC Host "master-vpc": googleapi: Error 403: Required 'compute.organizations.enableXpnHost' permission for 'projects/master-vpc', forbidden
│
│ with google_compute_shared_vpc_host_project.host,
│ on main.tf line 282, in resource "google_compute_shared_vpc_host_project" "host":
│ 282: resource "google_compute_shared_vpc_host_project" "host" {
我看过 that matches exactly my premise, but I can't seem to follow their solution as they are using some service account linked to a cloud run environment, which is not my case. I use a terraform-admin service account that has "organization admin rigths" cf. Image 1
因为 terraform-admin 是通过 terraform 创建资源的那个(我 运行 在本地通过帐户密钥),它应该有足够的权限来添加资源 google_compute_shared_vpc_host_project.
这是我进一步分配给帐户 network-admin(我想用来管理 VPC 的帐户)和 terraform-admin 一般基础设施超级管理员的权限。
resource "google_project_iam_member" "master-vpc-owner-role" {
project = google_project.master-vpc.project_id
member = "serviceAccount:${google_service_account.master-vpc-network-admin.email}"
role = "roles/owner"
}
resource "google_project_iam_member" "master-vpc-project-iam-admin-role" {
project = google_project.master-vpc.project_id
role = "roles/resourcemanager.projectIamAdmin"
member = "serviceAccount:${google_service_account.master-vpc-network-admin.email}"
}
# roles/compute.xpnAdmin does not seem to cascade to the project
resource "google_folder_iam_member" "net-ops-folder-compute-xpnAdmin-role-for-net-admin" {
folder = google_folder.net-ops.name
member = "serviceAccount:${google_service_account.master-vpc-network-admin.email}"
role = "roles/compute.xpnAdmin"
}
# Create the shared VPC
resource "google_compute_shared_vpc_host_project" "host" {
# project = google_project.master-vpc.project_id
project = "${var.project_master_vpc.project_id}"
}
有人可以向我解释我做错了什么吗?
事实是我 运行ning terraform apply 在本地以某种方式通过 gcloud auth 使用经过身份验证的帐户吗?
仅供参考,为了将基础架构更改应用到我的组织,我使用了凭据文件
provider "google" {
credentials = file(var.credentials_file)
region = var.region
zone = var.zone
}
我似乎无法将角色 "roles/compute.xpnAdmin" 分配给 master-vpc,这就是我将其分配给父文件夹 Net-ops 的原因,但是错误“需要”'projects/master-vpc' 的权限。我错过了什么?
在 Net-ops 文件夹级别启用此角色是否足够,还是我必须将其放在组织级别? (我也不确定这是否是个好主意,因为它会授予 network-admin 一些组织级别的操作)
角色 roles/compute.xpnAdmin 需要在组织级别设置...这意味着通过 Terraform 处理资源创建的 terraform-admin 需要具有此角色。
授予它的方法如下:
# On the organization level :
# "roles/compute.xpnAdmin" to create the VPC
resource "google_organization_iam_member" "org-compute-xpnAdmin-role-for-terraform-admin" {
org_id = <your organization's ID>
role = "roles/compute.xpnAdmin"
member = "serviceAccount:${google_service_account.terraform_infra_admin.email}"
}
# Create the shared VPC
resource "google_compute_shared_vpc_host_project" "host" {
# project = google_project.master-vpc.project_id
project = var.project_master_vpc.project_id
}
这当然意味着在这种情况下,组织的基础设施管理员也是创建 VPC 的人。
Terraform 中使用的服务帐户应与 GCP 中使用的相同。所以这是您的 terraform-admin,并且此帐户需要在组织级别具有角色“roles/compute.xpnAdmin”,如 Imad 所述。这是因为此角色授予管理共享 VPC 宿主项目的权限,并且 Google 建议共享 VPC 管理员成为共享 VPC 宿主项目的所有者,如本 link
中所述
我正在尝试使用 terraform 设置共享 VPC 宿主项目,我得到了
│ Error: Error enabling Shared VPC Host "master-vpc": googleapi: Error 403: Required 'compute.organizations.enableXpnHost' permission for 'projects/master-vpc', forbidden
│
│ with google_compute_shared_vpc_host_project.host,
│ on main.tf line 282, in resource "google_compute_shared_vpc_host_project" "host":
│ 282: resource "google_compute_shared_vpc_host_project" "host" {
我看过terraform-admin service account that has "organization admin rigths" cf. Image 1
因为 terraform-admin 是通过 terraform 创建资源的那个(我 运行 在本地通过帐户密钥),它应该有足够的权限来添加资源 google_compute_shared_vpc_host_project.
这是我进一步分配给帐户 network-admin(我想用来管理 VPC 的帐户)和 terraform-admin 一般基础设施超级管理员的权限。
resource "google_project_iam_member" "master-vpc-owner-role" {
project = google_project.master-vpc.project_id
member = "serviceAccount:${google_service_account.master-vpc-network-admin.email}"
role = "roles/owner"
}
resource "google_project_iam_member" "master-vpc-project-iam-admin-role" {
project = google_project.master-vpc.project_id
role = "roles/resourcemanager.projectIamAdmin"
member = "serviceAccount:${google_service_account.master-vpc-network-admin.email}"
}
# roles/compute.xpnAdmin does not seem to cascade to the project
resource "google_folder_iam_member" "net-ops-folder-compute-xpnAdmin-role-for-net-admin" {
folder = google_folder.net-ops.name
member = "serviceAccount:${google_service_account.master-vpc-network-admin.email}"
role = "roles/compute.xpnAdmin"
}
# Create the shared VPC
resource "google_compute_shared_vpc_host_project" "host" {
# project = google_project.master-vpc.project_id
project = "${var.project_master_vpc.project_id}"
}
有人可以向我解释我做错了什么吗?
事实是我 运行ning terraform apply 在本地以某种方式通过 gcloud auth 使用经过身份验证的帐户吗?
仅供参考,为了将基础架构更改应用到我的组织,我使用了凭据文件
provider "google" {
credentials = file(var.credentials_file)
region = var.region
zone = var.zone
}
我似乎无法将角色
"roles/compute.xpnAdmin"分配给master-vpc,这就是我将其分配给父文件夹Net-ops的原因,但是错误“需要”'projects/master-vpc' 的权限。我错过了什么?在
Net-ops文件夹级别启用此角色是否足够,还是我必须将其放在组织级别? (我也不确定这是否是个好主意,因为它会授予network-admin一些组织级别的操作)
角色 roles/compute.xpnAdmin 需要在组织级别设置...这意味着通过 Terraform 处理资源创建的 terraform-admin 需要具有此角色。
授予它的方法如下:
# On the organization level :
# "roles/compute.xpnAdmin" to create the VPC
resource "google_organization_iam_member" "org-compute-xpnAdmin-role-for-terraform-admin" {
org_id = <your organization's ID>
role = "roles/compute.xpnAdmin"
member = "serviceAccount:${google_service_account.terraform_infra_admin.email}"
}
# Create the shared VPC
resource "google_compute_shared_vpc_host_project" "host" {
# project = google_project.master-vpc.project_id
project = var.project_master_vpc.project_id
}
这当然意味着在这种情况下,组织的基础设施管理员也是创建 VPC 的人。
Terraform 中使用的服务帐户应与 GCP 中使用的相同。所以这是您的 terraform-admin,并且此帐户需要在组织级别具有角色“roles/compute.xpnAdmin”,如 Imad 所述。这是因为此角色授予管理共享 VPC 宿主项目的权限,并且 Google 建议共享 VPC 管理员成为共享 VPC 宿主项目的所有者,如本 link
中所述