GCP - Cloud Composer 2 - 在此环境上创建操作失败
GCP - Cloud Composer 2 - Create operation on this environment failed
我正在尝试在 GCP 上创建一个默认的 Composer 2 实例并得到错误:
CREATE operation on this environment failed 32 minutes ago with the following error message:
Composer Backend timed out. Currently running tasks are [stage: CP_COMPOSER_AGENT_RUNNING
description: "No agent response published."
...
或
CREATE operation on this environment failed 32 minutes ago with the following error message:
Environment couldn't be created, but no error was surfaced. This can be cause by a lack of
proper permissions. Check if this environment's service account ... .iam.gserviceaccount.com
has the 'roles/composer.worker' role and there is no firewall inhibiting internal
communications set.
我已经在 https://cloud.google.com/composer/docs/composer-2/access-control 中尝试将 Composer Worker 角色添加到服务帐户和所有其他必需的角色(例如 Cloud Composer v2 API Service Agent Extension)(对于 public以及私有的,尽管实例是 public).
我查看了 GKE 实例,发现 Pod composer-agent 失败:
Traceback (most recent call last): File "composer_agent.py", line 467, in <module> main() File "composer_agent.py", line 292, in main responses = pubsub_subscriber.pull() (...)
oauth2client.client.HttpAccessTokenRefreshError: Failed to retrieve
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/(...)
compute@developer.gserviceaccount.com/token from the Google Compute Enginemetadata service.
Response:
{'date': 'Thu, 17 Feb 2022 10:29:46 GMT', 'status': '403', 'content-length': '668', 'content-
type': 'text/plain; charset=utf-8', 'x-content-type-options': 'nosniff'}
所以我假设仍然存在一些权限问题,但我无法弄清楚是什么,可以毫无问题地创建 Composer 1 实例,以及对服务帐户具有相同权限的不同项目 Composer 2 实例。
我还尝试创建具有所需权限的不同于默认计算服务帐户,但也没有成功。我还检查了我要添加权限的服务帐户实际上是在 composer-agent 中发送请求的服务帐户,并且正在向 GKE 集群发送环境创建请求。
希望哪位遇到过类似问题或者对composer-agent中出现的错误有比较了解的可以帮忙,非常感谢!
在与 Google 支持团队联系后,解决方案是手动启用“IAM 服务帐户凭据 API”。服务帐户权限或防火墙设置没有问题。
我正在尝试在 GCP 上创建一个默认的 Composer 2 实例并得到错误:
CREATE operation on this environment failed 32 minutes ago with the following error message:
Composer Backend timed out. Currently running tasks are [stage: CP_COMPOSER_AGENT_RUNNING
description: "No agent response published."
...
或
CREATE operation on this environment failed 32 minutes ago with the following error message:
Environment couldn't be created, but no error was surfaced. This can be cause by a lack of
proper permissions. Check if this environment's service account ... .iam.gserviceaccount.com
has the 'roles/composer.worker' role and there is no firewall inhibiting internal
communications set.
我已经在 https://cloud.google.com/composer/docs/composer-2/access-control 中尝试将 Composer Worker 角色添加到服务帐户和所有其他必需的角色(例如 Cloud Composer v2 API Service Agent Extension)(对于 public以及私有的,尽管实例是 public).
我查看了 GKE 实例,发现 Pod composer-agent 失败:
Traceback (most recent call last): File "composer_agent.py", line 467, in <module> main() File "composer_agent.py", line 292, in main responses = pubsub_subscriber.pull() (...)
oauth2client.client.HttpAccessTokenRefreshError: Failed to retrieve
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/(...)
compute@developer.gserviceaccount.com/token from the Google Compute Enginemetadata service.
Response:
{'date': 'Thu, 17 Feb 2022 10:29:46 GMT', 'status': '403', 'content-length': '668', 'content-
type': 'text/plain; charset=utf-8', 'x-content-type-options': 'nosniff'}
所以我假设仍然存在一些权限问题,但我无法弄清楚是什么,可以毫无问题地创建 Composer 1 实例,以及对服务帐户具有相同权限的不同项目 Composer 2 实例。
我还尝试创建具有所需权限的不同于默认计算服务帐户,但也没有成功。我还检查了我要添加权限的服务帐户实际上是在 composer-agent 中发送请求的服务帐户,并且正在向 GKE 集群发送环境创建请求。
希望哪位遇到过类似问题或者对composer-agent中出现的错误有比较了解的可以帮忙,非常感谢!
在与 Google 支持团队联系后,解决方案是手动启用“IAM 服务帐户凭据 API”。服务帐户权限或防火墙设置没有问题。