Google cloud platform 无法从Google计算引擎元数据服务检索令牌。现状：404_Google Cloud Platform_Google Kubernetes Engine_Gcloud_Google Cloud Sql_Cloud Sql Proxy

Google cloud platform 无法从Google计算引擎元数据服务检索令牌。现状：404

google-cloud-platform

Google cloud platform 无法从Google计算引擎元数据服务检索令牌。现状：404,google-cloud-platform,google-kubernetes-engine,gcloud,google-cloud-sql,cloud-sql-proxy,Google Cloud Platform,Google Kubernetes Engine,Gcloud,Google Cloud Sql,Cloud Sql Proxy,我正试图在我的GKE集群中设置作为辅助工具运行的云SQL代理。配置通过Terraform完成。我已经设置了工作负载标识、所需的服务帐户等。从GKE集群内启动./cloud\u sql\u proxy时（kubectl run-it--image google/cloud sdk:slim--serviceCount ksa name--namespace k8s namespace workload identity test），我得到以下输出： root@workload-identity-t

我正试图在我的GKE集群中设置作为辅助工具运行的云SQL代理。配置通过Terraform完成。我已经设置了工作负载标识、所需的服务帐户等。从GKE集群内启动./cloud\u sql\u proxy时（

kubectl run-it--image google/cloud sdk:slim--serviceCount ksa name--namespace k8s namespace workload identity test

），我得到以下输出：

root@workload-identity-test:/# ./cloud_sql_proxy -instances=project-id:europe-west4:db-instance=tcp:5432
2020/11/24 17:18:39 current FDs rlimit set to 1048576, wanted limit is 8500. Nothing to do here.
2020/11/24 17:18:40 GcloudConfig: error reading config: exit status 1; stderr was:
ERROR: (gcloud.config.config-helper) There was a problem refreshing your current auth tokens: ("Failed to retrieve http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/db-proxy@project-id.iam.gserviceaccount.com/token from the Google Compute Enginemetadata service. Status: 404 Response:\nb'Unable to generate access token; IAM returned 404 Not Found: Requested entity was not found.\\n'", <google_auth_httplib2._Response object at 0x7fc5575545f8>)
Please run:

  $ gcloud auth login

to obtain new credentials.

If you have already logged in with a different account:

    $ gcloud config set account ACCOUNT

to select an already authenticated account to use.
2020/11/24 17:18:41 GcloudConfig: error reading config: exit status 1; stderr was:
ERROR: (gcloud.config.config-helper) There was a problem refreshing your current auth tokens: ("Failed to retrieve http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/db-proxy@project-id.iam.gserviceaccount.com/token from the Google Compute Enginemetadata service. Status: 404 Response:\nb'Unable to generate access token; IAM returned 404 Not Found: Requested entity was not found.\\n'", <google_auth_httplib2._Response object at 0x7f06f72f45c0>)
Please run:

  $ gcloud auth login

to obtain new credentials.

If you have already logged in with a different account:

    $ gcloud config set account ACCOUNT

to select an already authenticated account to use.
2020/11/24 17:18:41 errors parsing config:
        Get "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/europe-west4~db-instance?alt=json&prettyPrint=false": metadata: GCE metadata "instance/service-accounts/default/token?scopes=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fsqlservice.admin" not defined

预期结果（我在另一个集群上运行了此功能，后来更改了配置，无法找到错误所在）：

我做错了什么？如何进一步进行故障排除或调试？

您能否确认“db”-proxy@project-id.iam.gserviceaccount.com'是正确的帐户吗？我可能读错了，但似乎在尝试刷新该帐户的身份验证令牌时出错，错误是该帐户不存在。

这可能是由于创建Kubernetes群集时未启用服务帐户，或者未正确配置。尝试检查服务帐户是否已禁用。您也可以尝试创建一个新的服务帐户并更改，或者最后，在运行时尝试使用命令。

我今天遇到了一个类似的错误，并发现这是因为GSA与GKE集群位于不同的项目中。看起来iam.workloadIdentityUser绑定需要在同一项目中的帐户之间进行

因此，这起了作用：

gcloud iam service-accounts create custom-metrics-adapter \
    --project ${PLATFORM_PROJECT_ID}

gcloud iam service-accounts add-iam-policy-binding \
    "${GSA_NAME}@${PLATFORM_PROJECT_ID}.iam.gserviceaccount.com" \
    --member "serviceAccount:${PLATFORM_PROJECT_ID}.svc.id.goog[${KSA_NAMESPACE}/${KSA_NAME}]" \
    --role "roles/iam.workloadIdentityUser" \
    --project ${PLATFORM_PROJECT_ID}

与

不确定这是否对您有帮助，但它可能会帮助其他人通过搜索错误字符串来查找：

检索失败来自谷歌计算引擎元数据服务。现状：404 响应：\nb'无法生成访问令牌；IAM返回404，但没有返回找到：未找到请求的实体

gcloud iam服务帐户获取iam策略数据库-proxy@project-id.iam.gserviceaccount.com

返回有效响应。我的理解是，这意味着该账户存在。我也可以在UI中找到它。该帐户被标记为“活动”。提供凭证是一种选择，但不太有利。到目前为止，我能够通过创建一个具有不同名称的服务帐户来克服这个问题。只是名字变了，别的什么都没变。如果我删除

db-proxy@project-id.iam.gserviceaccount.com

然后再次使用该名称，问题仍然存在。

λ gcloud container clusters describe mycluster --format="value(workloadIdentityConfig.workloadPool)"
project-id.svc.id.goog

λ gcloud container node-pools describe mycluster-node-pool --cluster=mycluster --format="value(config.workloadMetadataConfig.mode)"
GKE_METADATA

λ gcloud container node-pools describe mycluster-node-pool --cluster=mycluster--format="value(config.oauthScopes)"
https://www.googleapis.com/auth/monitoring;https://www.googleapis.com/auth/devstorage.read_only;https://www.googleapis.com/auth/logging.write;https://www.googleapis.com/auth/cloud-platform;https://www.googleapis.com/auth/userinfo.email;https://www.googleapis.com/auth/compute;https://www.googleapis.com/auth/sqlservice.admin

λ kubectl describe serviceaccount --namespace k8s-namespace ksa-name
Name:                ksa-name
Namespace:           k8s-namespace
Labels:              <none>
Annotations:         iam.gke.io/gcp-service-account: db-proxy@project-id.iam.gserviceaccount.com
Image pull secrets:  <none>
Mountable secrets:   ksa-name-token-87n4t
Tokens:              ksa-name-token-87n4t
Events:              <none>

λ gcloud iam service-accounts get-iam-policy db-proxy@project-id.iam.gserviceaccount.com
bindings:
- members:
  - serviceAccount:project-id.svc.id.goog[k8s-namespace/ksa-name]
  role: roles/iam.workloadIdentityUser
etag: BwW02zludbY=
version: 1

λ kubectl get networkpolicy --namespace k8s-namespace
No resources found in k8s-namespace namespace.

λ gcloud projects get-iam-policy project-id
bindings:
- members:
  - serviceAccount:db-proxy@project-id.iam.gserviceaccount.com
  role: roles/cloudsql.editor

root@workload-identity-test:~# ./cloud_sql_proxy -instances=project-id:europe-west4:db-instance-2=tcp:5432
2020/11/24 18:09:54 current FDs rlimit set to 1048576, wanted limit is 8500. Nothing to do here.
2020/11/24 18:09:56 Listening on 127.0.0.1:5432 for project-id:europe-west4:db-instance-2
2020/11/24 18:09:56 Ready for new connections

gcloud iam service-accounts create custom-metrics-adapter \
    --project ${PLATFORM_PROJECT_ID}

gcloud iam service-accounts add-iam-policy-binding \
    "${GSA_NAME}@${PLATFORM_PROJECT_ID}.iam.gserviceaccount.com" \
    --member "serviceAccount:${PLATFORM_PROJECT_ID}.svc.id.goog[${KSA_NAMESPACE}/${KSA_NAME}]" \
    --role "roles/iam.workloadIdentityUser" \
    --project ${PLATFORM_PROJECT_ID}

apiVersion: v1
kind: ServiceAccount
metadata:
  name: ${KSA_NAME}
  namespace: ${KSA_NAMESPACE}
  annotations:
    iam.gke.io/gcp-service-account: ${GSA_NAME}${PLATFORM_PROJECT_ID}.iam.gserviceaccount.com
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: example
  namespace: ${KSA_NAMESPACE}
spec:
  template:
    spec:
      serviceAccountName: ${KSA_NAME}
# Deployment spec truncated for clarity