Google cloud platform 如何使用deployment manager创建新的服务帐户和主题,并仅授予其访问该主题的权限?
我可以在模板中创建一个新的发布/订阅主题和一个新的服务帐户 我可以了解如何为该服务帐户提供项目范围的发布/订阅访问权限: 另外,该示例似乎使用了不同的资源类型,这是我的模板:Google cloud platform 如何使用deployment manager创建新的服务帐户和主题,并仅授予其访问该主题的权限?,google-cloud-platform,google-cloud-pubsub,google-deployment-manager,Google Cloud Platform,Google Cloud Pubsub,Google Deployment Manager,我可以在模板中创建一个新的发布/订阅主题和一个新的服务帐户 我可以了解如何为该服务帐户提供项目范围的发布/订阅访问权限: 另外,该示例似乎使用了不同的资源类型,这是我的模板: resources: - name: "mytopic" type: gcp-types/pubsub-v1:projects.topics #type: pubsub-v1ubsub.v1.topic properties: topic: "mytopic" label
resources:
- name: "mytopic"
type: gcp-types/pubsub-v1:projects.topics
#type: pubsub-v1ubsub.v1.topic
properties:
topic: "mytopic"
labels:
my-lable: mytopic
当我切换到pubsub-v1ubsub.v1时,我使用gcp-types/pubsub-v1:projects.topics
。topic
我得到:
- code: RESOURCE_NOT_FOUND
message: The type [pubsub-v1ubsub.v1.topic] was not found.
- code: RESOURCE_ERROR
location: /deployments/mydeployment/resources/mytopic
message: '{"ResourceType":"gcp-types/pubsub-v1:projects.topics","ResourceErrorCode":"404","ResourceErrorMessage":{"statusMessage":"Not
Found","requestPath":"https://pubsub.googleapis.com/v1/:setIamPolicy","httpMethod":"POST"}}
如果我尝试将accessControl
添加到gcp-types/pubsub-v1:projects.topics
中,我会得到:
- code: RESOURCE_NOT_FOUND
message: The type [pubsub-v1ubsub.v1.topic] was not found.
- code: RESOURCE_ERROR
location: /deployments/mydeployment/resources/mytopic
message: '{"ResourceType":"gcp-types/pubsub-v1:projects.topics","ResourceErrorCode":"404","ResourceErrorMessage":{"statusMessage":"Not
Found","requestPath":"https://pubsub.googleapis.com/v1/:setIamPolicy","httpMethod":"POST"}}
我想创建一个新的主题,即新的服务帐户,并仅授予该服务帐户访问该特定主题的权限
在部署管理器中是否可以这样做
这是带有accessControl的完整模板:
resources:
- name: "mytopic"
type: gcp-types/pubsub-v1:projects.topics
#type: pubsub-v1ubsub.v1.topic
properties:
topic: "mytopic"
labels:
label: "sdfsdfsdf"
accessControl:
gcpIamPolicy:
bindings:
- role: roles/pubsub.editor
members:
- "serviceAccount:zzz@abc.iam.gserviceaccount.com"
- role: roles/pubsub.publisher
members:
- "serviceAccount:zzz@abc.iam.gserviceaccount.com"
编辑:
所以我想我已经成功了,但是现在我有一个关于依赖性的问题。我是否需要声明acl资源依赖于发布/订阅资源?或者这是没有必要的?如果我不包括它,它会工作,但我想确认它不会失败,并尝试首先部署acl或其他什么。另外,谷歌,请在你的文档中添加一个完整的例子。这将大大有助于让他们更容易接近
resources:
- name: "mytopic"
type: gcp-types/pubsub-v1:projects.topics
properties:
topic: "mytopic"
- name: "mytopic-permissions"
type: pubsub.v1.topic
properties:
topic: "mytopic"
accessControl:
gcpIamPolicy:
bindings:
- role: roles/pubsub.editor
members:
- "serviceAccount:xxxx@abc.iam.gserviceaccount.com"
- role: roles/pubsub.publisher
members:
- "serviceAccount:xxxx@abc.iam.gserviceaccount.com"
# Do I need this? If I dont have it deploys still seem to work
metadata:
dependsOn:
- "mytopic"
我没有看到谜题。如果我在这里读。。。在本例中,他们似乎正在创建一个新主题,然后在该主题上为特定用户提供特定角色,仅针对该主题,而不是所有主题。你看到的是不同的东西还是有不同的理解?也许我误解了。在UI中的何处可以看到主题权限?它在那里可见还是仅在gcloud中可见?另外,在尝试该示例时,我收到以下错误消息:{“ResourceType”:“gcp types/pubsub-v1:projects.topics”,“ResourceErrorCode”:“404”,“ResourceErrorMessage”:{“statusMessage”:“Not Found”,“requestPath”:“}}”`转到云控制台。进入酒吧/酒吧。进入主题列表。请参阅现有主题。在表格的右侧行,请参见“3点”。点击单击“查看权限”。是否可以使用accessControl定义显示完整的部署管理器文件?添加了完整模板