gpt4 book ai didi

google-cloud-platform - 无法使用 terraform 和 gcp 提供程序分配角色,但可以在 UI 中使用

转载 作者:行者123 更新时间:2023-12-04 08:29:08 25 4
gpt4 key购买 nike

尝试将创建的角色分配给 GCP 服务帐户,然后将其用作 k8s 部署的工作负载身份。
地形:

resource google_project_iam_custom_role sign_blob_role {
permissions = ["iam.serviceAccounts.signBlob"]
role_id = "signBlob"
title = "Sign Blob"
}

resource google_service_account_iam_member document_signer_workload {
service_account_id = module.document_signer_service_accounts.service_accounts_map.doc-sign.name
role = "roles/iam.workloadIdentityUser"
member = local.document_sign_sa
}

module document_signer_service_accounts {
source = "terraform-google-modules/service-accounts/google"
version = "~> 3.0"
project_id = var.gcp_project_name
prefix = "doc-sign-sa"
names = ["doc-sign"]
project_roles = [
"${var.gcp_project_name}=>roles/viewer",
"${var.gcp_project_name}=>roles/storage.objectViewer",
"${var.gcp_project_name}=>roles/iam.workloadIdentityUser",
"${var.gcp_project_name}=>${google_project_iam_custom_role.sign_blob_role.name}"
]
display_name = substr("GCP SA bound to K8S SA ${local.document_sign_sa}. Used to sign document.", 0, 100)
}
错误:
Error: Request "Create IAM Members roles/signBlob serviceAccount:staging-doc-sign@********************.iam.gserviceaccount.com for \"project \\\"********************\\\"\"" returned error: Error applying IAM policy for project "********************": Error setting IAM policy for project "********************": googleapi: Error 400: Role roles/signBlob is not supported for this resource., badRequest

on .terraform/modules/document_signer_service_accounts/main.tf line 46, in resource "google_project_iam_member" "project-roles":
46: resource "google_project_iam_member" "project-roles" {
但是,当我在 UI 上执行相同操作时,它允许我分配角色。
我在这里做错了什么?

最佳答案

您调用自定义角色的方式似乎有问题。"${var.gcp_project_name}=>${google_project_iam_custom_role.sign_blob_role.name}"自定义角色已经属于项目,无需指定${var.gcp_project_name}所以,代码应该是这样的:

project_roles = [
"${var.gcp_project_name}=>roles/viewer",
"${var.gcp_project_name}=>roles/storage.objectViewer",
"${var.gcp_project_name}=>roles/iam.workloadIdentityUser",
"${google_project_iam_custom_role.sign_blob_role.name}"
]
编辑 1
据此 documentation
这是模块 service-accounts的基本用法
module "service_accounts" {
source = "terraform-google-modules/service-accounts/google"
version = "~> 2.0"
project_id = "<PROJECT ID>"
prefix = "test-sa"
names = ["first", "second"]
project_roles = [
"project-foo=>roles/viewer",
"project-spam=>roles/storage.objectViewer",
]
}
我认为您的资源中对属性的引用应该有问题。
尽管如此,我还是找到了 github repository其中包含一些关于如何将自定义角色添加到服务帐户的好示例:
# https://www.terraform.io/docs/providers/google/r/google_project_iam.html#google_project_iam_binding

resource "google_project_iam_binding" "new-roles" {
role = "projects/${var.project_id}/roles/${google_project_iam_custom_role.new-custom-role.role_id}"
members = ["serviceAccount:${google_service_account.new.email}"]
}
我认为您可能会发现完成此任务很有用。

关于google-cloud-platform - 无法使用 terraform 和 gcp 提供程序分配角色,但可以在 UI 中使用,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/65111364/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com