Google compute engine 缺少哪个权限来初始化扳手客户端？_Google Compute Engine_Google Kubernetes Engine_Gcloud_Google Cloud Spanner

Google compute engine 缺少哪个权限来初始化扳手客户端？

google-compute-engine

Google compute engine 缺少哪个权限来初始化扳手客户端？,google-compute-engine,google-kubernetes-engine,gcloud,google-cloud-spanner,Google Compute Engine,Google Kubernetes Engine,Gcloud,Google Cloud Spanner,尝试在gke pods中创建扳手客户端，但得到： File "/usr/local/lib/python3.7/site-packages/google/cloud/spanner_v1/database.py", line 519, in run_in_transaction with SessionCheckout(self._pool) as session: File "/usr/local/lib/python3.7/site-packag

尝试在gke pods中创建扳手客户端，但得到：

File "/usr/local/lib/python3.7/site-packages/google/cloud/spanner_v1/database.py", line 519, in run_in_transaction
     with SessionCheckout(self._pool) as session:
   File "/usr/local/lib/python3.7/site-packages/google/cloud/spanner_v1/pool.py", line 536, in __enter__
     self._session = self._pool.get(**self._kwargs)
   File "/usr/local/lib/python3.7/site-packages/google/cloud/spanner_v1/pool.py", line 273, in get
     session.create()
   File "/usr/local/lib/python3.7/site-packages/google/cloud/spanner_v1/session.py", line 117, in create
     session_pb = api.create_session(self._database.name, metadata=metadata, **kw)
   File "/usr/local/lib/python3.7/site-packages/google/cloud/spanner_v1/gapic/spanner_client.py", line 307, in create_session
     request, retry=retry, timeout=timeout, metadata=metadata
   File "/usr/local/lib/python3.7/site-packages/google/api_core/gapic_v1/method.py", line 145, in __call__
     return wrapped_func(*args, **kwargs)
   File "/usr/local/lib/python3.7/site-packages/google/api_core/retry.py", line 286, in retry_wrapped_func
     on_error=on_error,
   File "/usr/local/lib/python3.7/site-packages/google/api_core/retry.py", line 206, in retry_target
     last_exc,
   File "<string>", line 3, in raise_from

google.api_core.exceptions.RetryError: Deadline of 3600.0s exceeded while calling functools.partial(<function _wrap_unary_errors.<locals>.error_remapped_callable at 0x7f8bff413ef0>,
database: "projects/myproj-1501/instances/tfgen-spanid-2020585/databases/spanner-stage,
metadata=[('google-cloud-resource-prefix', 'projects/myproj-1501/instances/tfgen-spanid-2020585/databases/spanner-stage'),
('x-goog-request-params',
'database=projects/myproj-1501/instances/tfgen-spanid-2020585/databases/spanner-stage'),
 ('x-goog-api-client', 'gl-python/3.7.9 grpc/1.32.0 gax/1.22.2 gapic/1.17.1 gccl/1.17.1')]),
 last exception: 503 Getting metadata from plugin failed with error: ("Failed to retrieve http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/spanner-db-sa@myproj-1501.iam.gserviceaccount.com/token from the Google Compute Enginemetadata service.
  Status: 403 Response:\nb'Unable to generate access token; IAM returned 403 Forbidden: The caller does not have permission\\nThis error could be caused by a missing IAM policy binding on the target IAM service account.
  \\nFor more information, refer to the Workload Identity documentation:\\n\\thttps://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#creating_a_relationship_between_ksas_and_gsas\\n\\n'", <google.auth.transport.requests._Response object at 0x7f8bfcb33810>)

文件“/usr/local/lib/python3.7/site packages/google/cloud/panner\u v1/database.py”，第519行，在run\u-in\u事务中
将SessionCheckout（self.\u pool）作为会话：
文件“/usr/local/lib/python3.7/site packages/google/cloud/panner\u v1/pool.py”，第536行，输入__
self.\u session=self.\u pool.get（**self.\u kwargs）
get中的文件“/usr/local/lib/python3.7/site packages/google/cloud/panner_v1/pool.py”，第273行
会话。创建（）
文件“/usr/local/lib/python3.7/site packages/google/cloud/panner_v1/session.py”，第117行，在create中
session\u pb=api.create\u session（self.\u database.name，metadata=metadata，**kw）
文件“/usr/local/lib/python3.7/site packages/google/cloud/span\u v1/gapic/span\u client.py”，第307行，在创建会话中
请求，重试=重试，超时=超时，元数据=元数据
文件“/usr/local/lib/python3.7/site packages/google/api_core/gapic_v1/method.py”，第145行，在调用中__
返回包装函数（*args，**kwargs）
文件“/usr/local/lib/python3.7/site packages/google/api\u core/retry.py”，第286行，在retry\u wrapped\u func中
on_错误=on_错误，
文件“/usr/local/lib/python3.7/site packages/google/api\u core/retry.py”，第206行，在retry\u目标中
最后一次会议，
文件“”，第3行，从
google.api_core.exceptions.RetryError:调用functools.partial时超过了3600.0s的截止日期（，
数据库：“projects/myproj-1501/instances/tfgen-spanid-2020585/databases/panner-stage，
元数据=[（'google-cloud-resource-prefix'，'projects/myproj-1501/instances/tfgen-spanid-2020585/databases/span-stage'），
（'x-goog-request-params'，
“database=projects/myproj-1501/instances/tfgen-spanid-2020585/databases/panner-stage”），
（'x-goog-api-client'，'gl python/3.7.9 grpc/1.32.0 gax/1.22.2 gapic/1.17.1 gccl/1.17.1'）），
最后一个异常：503从插件获取元数据失败，错误为：（“检索失败http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/spanner-db-sa@myproj-1501.iam.gserviceaccount.com/token来自谷歌计算引擎元数据服务。
状态：403响应：\nb'无法生成访问令牌；IAM返回403禁止：调用方没有权限\\此错误可能是由于目标IAM服务帐户上缺少IAM策略绑定造成的。
\\有关详细信息，请参阅工作负载标识文档：\\n\\thttps://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#creating_a_relationship_between_ksas_and_gsas\\n\\n'，）

知道如何找出缺少哪个权限吗？哪个服务帐户需要此权限

谢谢

在文章下面，第2步介绍了如何授予角色，并指向其中一个角色。我想您可能需要这两个角色中的一个：

角色/span.admin

角色/span.databaseAdmin

此处列出的步骤太多，这取决于帐户，但第一篇文章中的步骤1向您展示了如何识别正确的服务帐户。请注意，GKE用户是GCE，因此服务帐户可能只是看起来像一个常规的“计算引擎”“服务帐户。

错误消息表明目标IAM服务帐户的扳手数据库上可能缺少IAM策略绑定-sa@myproj-1501.iam.gserviceaccount.com'。你能跟上进度吗

此外，您需要授予服务帐户访问云扳手数据库的权限。你可以按照指示去做