Google cloud platform Google部署管理器-项目创建权限被拒绝
运行部署管理器创建部署时,我从GCP收到403 PERMISSION_DENIED响应,该部署使用云资源管理器API创建项目、两个服务帐户并为其设置IAM策略Google cloud platform Google部署管理器-项目创建权限被拒绝,google-cloud-platform,google-deployment-manager,Google Cloud Platform,Google Deployment Manager,运行部署管理器创建部署时,我从GCP收到403 PERMISSION_DENIED响应,该部署使用云资源管理器API创建项目、两个服务帐户并为其设置IAM策略 - code: RESOURCE_ERROR location: /deployments/test-deployment/resources/dm-test-project message: '{"ResourceType":"cloudresourcemanager.v1.project","ResourceErrorCode
- code: RESOURCE_ERROR
location: /deployments/test-deployment/resources/dm-test-project
message: '{"ResourceType":"cloudresourcemanager.v1.project","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"The
caller does not have permission","status":"PERMISSION_DENIED","statusMessage":"Forbidden","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/dm-test-project","httpMethod":"GET"}}'
之前,我创建了一个项目“DM project Creation”,启用一些API,将计费帐户分配给它,然后创建一个服务帐户。
我已经创建了一个组织节点,因此我在组织节点中添加了创建的服务帐户,并提供了以下IAM角色:
-项目创建者
-计费帐户用户
实际上,我是在谷歌云平台上遵循以下示例的:
我运行以下命令以使用服务帐户进行身份验证:
gcloud身份验证激活服务帐户dm项目-creation@dm-creation-project-0.iam.gserviceaccount.com--key file=/Users/famedina/Downloads/dm-creation-project-0-f1f92dd070ce.json
然后运行部署管理器并传递配置文件:
gcloud部署管理器部署创建测试部署--config config.yaml
imports:
- path: project.py
resources:
# The "name" property below will be the ID of the new project
# If you want your project to have a different name, use the "project-name"
# property.
- name: dm-test-project
type: project.py
properties:
# Change this to your organization ID.
organization-id: "<MY_ORG_ID"
# You can also create the project in a folder.
# If both organization-id and parent-folder-id are provided,
# the project will be created in parent-folder-id.
#parent-folder-id: "FOLDER_ID"
# Change the following to your organization's billing account
billing-account-name: billingAccounts/<MY_BILLING_ACC_ID>
# The apis to enable in the new project.
# To see the possible APIs, use: gcloud services list --available
apis:
- compute.googleapis.com
- deploymentmanager.googleapis.com
- pubsub.googleapis.com
- storage-component.googleapis.com
- monitoring.googleapis.com
- logging.googleapis.com
# The service accounts you want to create in the project
service-accounts:
- my-service-account-1
- my-service-account-2
bucket-export-settings:
create-bucket: true
# If using an already existing bucket, specify this
# bucket: <my bucket name>
# Makes the service account that Deployment Manager would use in the
# generated project when making deployments in this new project a
# project owner.
set-dm-service-account-as-owner: true
# The patches to apply to the project's IAM policy. Note that these are
# always applied as a patch to the project's current IAM policy, not as a
# diff with the existing properties stored in DM. This means that removing
# a binding from the 'add' section will not remove the binding on the
# project during the next update. Instead it must be added to the 'remove'
# section.
iam-policy-patch:
# These are the bindings to add.
add:
- role: roles/owner
members:
# NOTE: The DM service account that is creating this project will
# automatically be added as an owner.
- serviceAccount:98765432100@cloudservices.gserviceaccount.com
- role: roles/viewer
members:
- user:iamtester@deployment-manager.net
# The bindings to remove. Note that these are idempotent, in the sense
# that any binding here that is not actually on the project is considered
# to have been removed successfully.
remove:
- role: roles/owner
members:
# This is already not on the project, but in case it shows up, let's
# remove it.
- serviceAccount:1234567890@cloudservices.gserviceaccount.com```
导入:
-路径:project.py
资源:
#下面的“name”属性将是新项目的ID
#如果希望项目具有不同的名称,请使用“项目名称”
#财产。
-名称:dm测试项目
类型:project.py
特性:
#将此更改为您的组织ID。
组织id:“我也遇到了这个问题,错误消息实际上并没有解释根本问题。
关键是这是一个GET操作,而不是试图创建项目。这是为了验证所请求的项目id的全局唯一性,如果不是唯一的,则抛出“权限被拒绝”
- code: RESOURCE_ERROR
location: /deployments/test-deployment/resources/dm-test-project
message: '{"ResourceType":"cloudresourcemanager.v1.project","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"The
caller does not have permission","status":"PERMISSION_DENIED","statusMessage":"Forbidden","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/dm-test-project","httpMethod":"**GET**"}}'
对于最终用户产生的错误,还有很大的改进空间。我也遇到了这个问题,错误消息实际上并没有解释根本问题。
关键是这是一个GET操作,而不是试图创建项目。这是为了验证所请求的项目id的全局唯一性,如果不是唯一的,则抛出“权限被拒绝”
- code: RESOURCE_ERROR
location: /deployments/test-deployment/resources/dm-test-project
message: '{"ResourceType":"cloudresourcemanager.v1.project","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"The
caller does not have permission","status":"PERMISSION_DENIED","statusMessage":"Forbidden","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/dm-test-project","httpMethod":"**GET**"}}'
对于最终用户产生的错误,还有很大的改进余地。您已经有多少个项目?如果您试图在控制台中创建此项目,是否会收到一个错误,即已达到最大项目数(从我的记忆中提取消息)?除非您增加了配额,否则限制为5。我已经根据以下线程解决了问题:我正在尝试部署运行gcloud部署管理器部署创建测试部署--config examples/my_project.yaml
,然后,当收到所述错误时,我正在运行以下命令删除部署:gcloud部署管理器部署删除测试部署。显然,项目ID已经“修复”“在尝试再次部署时,我们无法再重用它,因此我对它进行了更改,它最终起到了作用。无法重用同一个项目ID的原因是,可以取消删除已删除的项目。我不记得恢复时间,大约20天。我想知道如果我从一开始就收到403 PERMISSION_DENIED错误消息,那么该项目是如何被视为已创建的,因此即使我稍后尝试删除部署,它也应该允许重用相同的项目ID。您已经有多少个项目?如果您试图在控制台中创建此项目,是否收到已达到最大项目数的错误(从我的内存中提取消息)?除非您增加了配额,否则限制为5。我已经基于以下线程解决了此问题:我正在尝试部署正在运行的gcloud部署管理器部署创建测试部署--config examples/my_project.yaml
,然后,收到所述错误时,我正在删除部署,并运行以下命令:gcloud deployment manager deployments delete test deployment
。显然,项目ID已经“固定”了,我们在尝试再次部署时无法再重用它,因此我对其进行了更改,它最终起到了作用。无法重用相同项目ID的原因是删除的项目可以取消删除。我不记得恢复时间,大约20天。我想知道如果我从一开始就收到403 PERMISSION_DENIED错误消息,那么该项目是如何被视为已创建的,因此即使我稍后尝试删除部署,它也应该允许重用相同的项目ID。