Google cloud platform 使用Terraform权限错误在GCP上构建GKE集群
我正在尝试使用Terraform 0.12.5添加一个GKE集群[据我所知,这在0.11.7上很好]Google cloud platform 使用Terraform权限错误在GCP上构建GKE集群,google-cloud-platform,terraform,Google Cloud Platform,Terraform,我正在尝试使用Terraform 0.12.5添加一个GKE集群[据我所知,这在0.11.7上很好] resource "google_container_cluster" "primary" { name = "gke-${terraform.workspace}-cluster" zone = "${var.region}-b" initial_node_count = 3 network = "${var.vpc_name}" subnetwor
resource "google_container_cluster" "primary" {
name = "gke-${terraform.workspace}-cluster"
zone = "${var.region}-b"
initial_node_count = 3
network = "${var.vpc_name}"
subnetwork = "${var.subnet_name}"
addons_config {
horizontal_pod_autoscaling {
disabled = false
}
kubernetes_dashboard {
disabled = false
}
}
# getting a vpc-native network
ip_allocation_policy {
}
master_auth {
username = "${var.gke_master_user}"
password = "${var.gke_master_pass}"
}
node_config {
oauth_scopes = [
"https://www.googleapis.com/auth/compute",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring",
]
labels = {
env = "${var.gke_label[terraform.workspace]}"
}
disk_size_gb = 10
machine_type = "${var.gke_node_machine_type}"
tags = ["gke-node"]
}
}
- 角色/compute.networkAdmin
- 角色/resourcemanager.projectCreator
- 角色/storage.admin
1) deploy error: Not all instances running in IGM after 10.808470514s.
Expect 1. Current errors: [PERMISSIONS_ERROR]: Instance 'gke-gke-dev-
cluster-default-pool-6266baac-0pn3' creation failed: Required
'compute.instances.create' permission for
'projects/353065647996/zones/europe-west1-b/instances/gke-gke-dev-
cluster-default-pool-6266baac-0pn3' (when acting as
'353065647996@cloudservices.gserviceaccount.com');
[PERMISSIONS_ERROR]: Instance 'gke-gke-dev-cluster-default-pool-
6266baac-0pn3' creation failed: Required 'compute.disks.create'
permission for 'projects/353065647996/zones/europe-west1-b/disks/gke-
gke-dev-cluster-default-pool-6266baac-0pn3' (when acting as
'353065647996@cloudservices.gserviceaccount.com');
[PERMISSIONS_ERROR]: Instance 'gke-gke-dev-cluster-default-pool-
6266baac-0pn3' creation failed: Required 'compute.subnetworks.use'
permission for 'projects/353065647996/regions/europe-
west1/subnetworks/dev-subnet' (when acting as
'353065647996@cloudservices.gserviceaccount.com');
[PERMISSIONS_ERROR]: Instance 'gke-gke-dev-cluster-default-pool-
6266baac-0pn3' creation failed: Required
'compute.subnetworks.useExternalIp' permission for
'projects/353065647996/regions/europe-west1/subnetworks/dev-subnet'
(when acting as '353065647996@cloudservices.gserviceaccount.com');
[PERMISSIONS_ERROR]: Instance 'gke-gke-dev-cluster-default-pool-
6266baac-0pn3' creation failed: Required
'compute.instances.setMetadata' permission for
'projects/353065647996/zones/europe-west1-b/instances/gke-gke-dev-
cluster-default-pool-6266baac-0pn3' (when acting as
'353065647996@cloudservices.gserviceaccount.com') (truncated)
此服务帐户353065647996@cloudservices.gserviceaccount.com为项目创建,并继承原始服务帐户。我不清楚如何为其提供正确的角色/凭据。这是由于在创建项目时添加了一个只有查看权限的用户作为最后一个用户造成的。删除该用户并按预期工作。这是因为在创建项目时,添加了一个仅具有查看权限的用户作为最后一个用户。删除该用户后,它就如预期的那样工作。有同样的问题,但我不完全理解您的答案。你能详细说明一下吗?我在terraform中有两个用户,一个是“超级用户”,另一个是小用户。由于某种原因,第二个次要用户导致系统崩溃。有趣的是。。。问题是,由于某种原因,默认ServiceAccount没有权限。通过IAM赋予编辑角色解决了ITI如果您从类似错误来到这里,但您共享了VPC,则发现帮助存在相同的问题,但我不完全理解您的答案。你能详细说明一下吗?我在terraform中有两个用户,一个是“超级用户”,另一个是小用户。由于某种原因,第二个次要用户导致系统崩溃。有趣的是。。。问题是,由于某种原因,默认ServiceAccount没有权限。通过IAM赋予编辑角色解决了ITI问题如果您来自类似错误,但您共享了VPC,则会找到帮助