Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/google-cloud-platform/3.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Google cloud platform Google部署管理器-项目创建权限被拒绝_Google Cloud Platform_Google Deployment Manager - Fatal编程技术网

Google cloud platform Google部署管理器-项目创建权限被拒绝

Google cloud platform Google部署管理器-项目创建权限被拒绝,google-cloud-platform,google-deployment-manager,Google Cloud Platform,Google Deployment Manager,运行部署管理器创建部署时,我从GCP收到403 PERMISSION_DENIED响应,该部署使用云资源管理器API创建项目、两个服务帐户并为其设置IAM策略 - code: RESOURCE_ERROR location: /deployments/test-deployment/resources/dm-test-project message: '{"ResourceType":"cloudresourcemanager.v1.project","ResourceErrorCode

运行部署管理器创建部署时,我从GCP收到403 PERMISSION_DENIED响应,该部署使用云资源管理器API创建项目、两个服务帐户并为其设置IAM策略

- code: RESOURCE_ERROR
  location: /deployments/test-deployment/resources/dm-test-project
  message: '{"ResourceType":"cloudresourcemanager.v1.project","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"The
    caller does not have permission","status":"PERMISSION_DENIED","statusMessage":"Forbidden","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/dm-test-project","httpMethod":"GET"}}'
之前,我创建了一个项目“DM project Creation”,启用一些API,将计费帐户分配给它,然后创建一个服务帐户。 我已经创建了一个组织节点,因此我在组织节点中添加了创建的服务帐户,并提供了以下IAM角色: -项目创建者 -计费帐户用户

实际上,我是在谷歌云平台上遵循以下示例的:

我运行以下命令以使用服务帐户进行身份验证:

gcloud身份验证激活服务帐户dm项目-creation@dm-creation-project-0.iam.gserviceaccount.com--key file=/Users/famedina/Downloads/dm-creation-project-0-f1f92dd070ce.json

然后运行部署管理器并传递配置文件:
gcloud部署管理器部署创建测试部署--config config.yaml

imports:
- path: project.py

resources:
  # The "name" property below will be the ID of the new project
  # If you want your project to have a different name, use the "project-name"
  # property.
  - name: dm-test-project
    type: project.py
    properties:
        # Change this to your organization ID.
        organization-id: "<MY_ORG_ID"
        # You can also create the project in a folder.
        # If both organization-id and parent-folder-id are provided,
        # the project will be created in parent-folder-id.
        #parent-folder-id: "FOLDER_ID"

        # Change the following to your organization's billing account
        billing-account-name: billingAccounts/<MY_BILLING_ACC_ID>

        # The apis to enable in the new project.
        # To see the possible APIs, use: gcloud services list --available
        apis:
          - compute.googleapis.com
          - deploymentmanager.googleapis.com
          - pubsub.googleapis.com
          - storage-component.googleapis.com
          - monitoring.googleapis.com
          - logging.googleapis.com

        # The service accounts you want to create in the project
        service-accounts:
          - my-service-account-1
          - my-service-account-2

        bucket-export-settings:
            create-bucket: true
            # If using an already existing bucket, specify this
            # bucket: <my bucket name>

        # Makes the service account that Deployment Manager would use in the
        # generated project when making deployments in this new project a
        # project owner.
        set-dm-service-account-as-owner: true

        # The patches to apply to the project's IAM policy. Note that these are
        # always applied as a patch to the project's current IAM policy, not as a
        # diff with the existing properties stored in DM. This means that removing
        # a binding from the 'add' section will not remove the binding on the
        # project during the next update. Instead it must be added to the 'remove'
        # section.
        iam-policy-patch:
            # These are the bindings to add.
            add:
              - role: roles/owner
                members:
                  # NOTE: The DM service account that is creating this project will
                  # automatically be added as an owner.
                  - serviceAccount:98765432100@cloudservices.gserviceaccount.com
              - role: roles/viewer
                members:
                  - user:iamtester@deployment-manager.net
            # The bindings to remove. Note that these are idempotent, in the sense
            # that any binding here that is not actually on the project is considered
            # to have been removed successfully.
            remove:
              - role: roles/owner
                members:
                  # This is already not on the project, but in case it shows up, let's
                  # remove it.
                  - serviceAccount:1234567890@cloudservices.gserviceaccount.com```
导入:
-路径:project.py
资源:
#下面的“name”属性将是新项目的ID
#如果希望项目具有不同的名称,请使用“项目名称”
#财产。
-名称:dm测试项目
类型:project.py
特性:
#将此更改为您的组织ID。

组织id:“我也遇到了这个问题,错误消息实际上并没有解释根本问题。 关键是这是一个GET操作,而不是试图创建项目。这是为了验证所请求的项目id的全局唯一性,如果不是唯一的,则抛出“权限被拒绝”

- code: RESOURCE_ERROR
  location: /deployments/test-deployment/resources/dm-test-project
  message: '{"ResourceType":"cloudresourcemanager.v1.project","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"The
    caller does not have permission","status":"PERMISSION_DENIED","statusMessage":"Forbidden","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/dm-test-project","httpMethod":"**GET**"}}'

对于最终用户产生的错误,还有很大的改进空间。

我也遇到了这个问题,错误消息实际上并没有解释根本问题。 关键是这是一个GET操作,而不是试图创建项目。这是为了验证所请求的项目id的全局唯一性,如果不是唯一的,则抛出“权限被拒绝”

- code: RESOURCE_ERROR
  location: /deployments/test-deployment/resources/dm-test-project
  message: '{"ResourceType":"cloudresourcemanager.v1.project","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"The
    caller does not have permission","status":"PERMISSION_DENIED","statusMessage":"Forbidden","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/dm-test-project","httpMethod":"**GET**"}}'

对于最终用户产生的错误,还有很大的改进余地。

您已经有多少个项目?如果您试图在控制台中创建此项目,是否会收到一个错误,即已达到最大项目数(从我的记忆中提取消息)?除非您增加了配额,否则限制为5。我已经根据以下线程解决了问题:我正在尝试部署运行
gcloud部署管理器部署创建测试部署--config examples/my_project.yaml
,然后,当收到所述错误时,我正在运行以下命令删除部署:
gcloud部署管理器部署删除测试部署。显然,项目ID已经“修复”“在尝试再次部署时,我们无法再重用它,因此我对它进行了更改,它最终起到了作用。无法重用同一个项目ID的原因是,可以取消删除已删除的项目。我不记得恢复时间,大约20天。我想知道如果我从一开始就收到403 PERMISSION_DENIED错误消息,那么该项目是如何被视为已创建的,因此即使我稍后尝试删除部署,它也应该允许重用相同的项目ID。您已经有多少个项目?如果您试图在控制台中创建此项目,是否收到已达到最大项目数的错误(从我的内存中提取消息)?除非您增加了配额,否则限制为5。我已经基于以下线程解决了此问题:我正在尝试部署正在运行的
gcloud部署管理器部署创建测试部署--config examples/my_project.yaml
,然后,收到所述错误时,我正在删除部署,并运行以下命令:
gcloud deployment manager deployments delete test deployment
。显然,项目ID已经“固定”了,我们在尝试再次部署时无法再重用它,因此我对其进行了更改,它最终起到了作用。无法重用相同项目ID的原因是删除的项目可以取消删除。我不记得恢复时间,大约20天。我想知道如果我从一开始就收到403 PERMISSION_DENIED错误消息,那么该项目是如何被视为已创建的,因此即使我稍后尝试删除部署,它也应该允许重用相同的项目ID。