google-cloud-platform - 尽管服务帐户具有所有者角色，但 GCP 中的存储桶查询权限被拒绝

Question

我正在尝试通过 Terraform 制作 GCP VM。我在 Google 上创建了一个具有 Project Owner 角色的服务帐户。通过 Terraform，我正在尝试制作一个存储桶来存储 Terraform 的状态。凭证的 .json 位于 Gitlab 变量中。

问题是 ，尽管服务帐户具有所有者角色，但我收到 403 错误，说我的服务帐户无权访问并且被禁止。

我尝试过的事情:

我为服务帐户分配了不同的角色，包括项目编辑器、存储管理员和存储对象管理员。

我已将其删除并重新制作(并更新了 Gitlab 变量)。

我已经通过 UI 而不是 Terraform 在 google 上创建了bucket，因为这是问题所在，但没有改变任何东西。

Gitlab 的 yml:

image:
  name: hashicorp/terraform:light  
  entrypoint:
    - '/usr/bin/env'
    - 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'

before_script:
  - rm -rf .terraform
  - terraform --version
  - mkdir -p ./creds
  - echo $SERVICEACCOUNT | base64 -d > ./creds/serviceaccount.json
  - terraform init

stages:
  - validate
  - plan
  - apply

validate:
  stage: validate
  script:
    - terraform validate

plan:
  stage: plan
  script:
    - terraform plan -out "planfile"
  dependencies:
    - validate
  artifacts:
    paths:
      - planfile

apply:
  stage: apply
  script:
    - terraform apply -input=false "planfile"
  dependencies:
    - plan
  when: manual

我的主要.tf:

provider "google" {
    project = "project-id-name" 
    credentials = "./creds/serviceaccount.json"
    region = "europe-west1"
}

# make bucket to store terraform state into
resource "google_storage_bucket" "terraform_state"  {
  name     = "terraform-up-and-running-state"
    region = "europe-west1"
}

# config terraform to store onto cloud in bucket above
terraform {
  backend "gcs" {
    bucket = "terraform-up-and-running-state"
    credentials = "./creds/serviceaccount.json"
  }
}

# rest 
resource "google_compute_instance" "vm_instance" {
  name         = "my-test-vm"
  machine_type = "f1-micro"

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-9"
    }
  }

  network_interface {
    # A default network is created for all GCP projects
    network = "${google_compute_network.vpc_network.self_link}"
    access_config {
    }
  }
}
resource "google_compute_network" "vpc_network" {
  name                    = "my-test-network"
  auto_create_subnetworks = "true"
}

目标是仅通过 Terraform 初始化 Google VM 和我需要的一切。

这是 Gitlab 的验证阶段显示的内容:

Running with gitlab-runner 12.3.0 (a8a019e0)
  on docker-auto-scale 72989761
Using Docker executor with image hashicorp/terraform:light ...
Pulling docker image hashicorp/terraform:light ...
Using docker image sha256:e42a20110eb49783e5f0e1594c67c8d45663fbf84303c395540b8dc94558d448 for hashicorp/terraform:light ...
Running on runner-72989761-project-14591382-concurrent-0 via runner-72989761-srm-1570020185-504ac9cf...
Fetching changes with git depth set to 50...
Initialized empty Git repository in /builds/my-project/playground-webscraper/.git/
Created fresh repository.
From https://gitlab.com/my-project/playground-webscraper
 * [new branch]      master     -> origin/master
Checking out c183697f as master...

Skipping Git submodules setup
$ rm -rf .terraform
$ terraform --version
Terraform v0.12.9
$ mkdir -p ./creds
$ echo $SERVICEACCOUNT | base64 -d > ./creds/serviceaccount.json
$ terraform init

Initializing the backend...

Successfully configured the backend "gcs"! Terraform will automatically
use this backend unless the backend configuration changes.

Error: Failed to get existing workspaces: querying Cloud Storage failed: googleapi: Error 403: terraform@kims-playground-webscraper.iam.gserviceaccount.com does not have storage.objects.list access to terraform-up-and-running-state., forbidden


ERROR: Job failed: exit code 1

Answer 1

Google Cloud Storage Bucket 命名空间是全局的，terraform-up-and-running-state 已经被世界上的另一个存储桶使用，而您尝试访问他们的存储桶却被拒绝。看起来网上有一个 number of tutorials 引用了这个存储桶名称。确保您的存储桶名称是唯一的。

我猜这不是你的桶:http://terraform-up-and-running-state.storage.googleapis.com/

看:

https://cloud.google.com/storage/docs/best-practices#naming

https://cloud.google.com/storage/docs/naming#requirements