使用服务帐户从Compute Engine部署App Engine Flex [英] Deploying App Engine Flex from Compute Engine with service account

问题描述

我已经设置了一个计算引擎实例，用于集中维护和更新App Engine Flex实例.原因之一是将数据库和其他凭据保留在Google Project中，而不是将其存储在本地开发计算机上.

I have setup a compute engine instance for centralised maintenance and updating of App Engine Flex instances. One reason for this is to keep the database and other credentials inside the Google Project and not to store them on local development machines.

当我尝试灵活部署时

gcloud app deploy

我收到错误

ERROR: (gcloud.beta.app.deploy) Permissions error fetching application [<project here>]. Please make sure you are using the correct project ID and that you have permission to view applications on the project.

服务帐户是默认的计算引擎帐户，并且我已在IAM中为其启用了编辑者角色.我还尝试启用所有App Engine角色，但并没有改变情况.

Service account is default compute engine account and I have enabled Editor role for it in the IAM. I also tried enabling all App Engine roles but it did not change the situation.

是否有一种方法可以从Compute Engine进行部署，如果可以的话，正确的凭据是什么?或者我在这里丢失了一些步骤?

Is there a way to make deployments from Compute Engine and if so what would be the correct credentials or am I missing some steps here?

推荐答案

我创建了一个新的Compute Engine实例，并尝试发出与您正在运行的命令相同的命令.我也遇到了同样的问题.这是我设法解决它的方法.

I created a new Compute Engine Instance and tried issuing the same command as you are running. I also encountered the same issue. Here is how I've managed to resolve it.

1)停止实例

2)导航到IAM>服务帐户>创建服务帐户

2) Navigate to IAM > Service Accounts > Create Service Account

3)创建一个新的服务帐户，并确保您除了向该服务帐户添加存储管理员"，项目编辑器"和云容器构建器编辑器"外，还为"App Engine Admin"或"App Engine Deployer"添加角色.因此，总共应该为服务帐户分配至少4个角色，以及您认为应用程序可能需要的其他任何角色.

3) Create a new service account and ensure you add roles for 'App Engine Admin'or 'App Engine Deployer' in addition to 'Storage Admin', 'Project Editor' and 'Cloud Container Builder Editor' to the service account. So in total you should have a minimum of 4 roles assigned to the service account, plus any other roles you think you may need for your application.

4)编辑停止的实例(从步骤1开始)，然后将服务帐户更改为您创建的新服务帐户.

4) Edit the stopped instance (from step 1) and change the service account to the new service account you created.

重新启动实例后，您现在应该具有正确的权限/角色，可以从实例部署App Engine Flex App.

When you restart the instance you should now have the correct permissions/roles to deploy your App Engine Flex App from the instance.

存在授权问题，因为未为Compute Engine默认服务帐户分配将应用程序部署到App Engine flex所需的角色，因为此过程中使用了各种API.通过将App Engine Flex部署所需的角色分配给新的服务帐户，然后将该服务帐户添加到实例，该实例便具有与App Engine Flex部署所需的其他GCP API交互所需的授权.

There was an authorisation issue because the Compute Engine default service account isn't assigned the roles required for deploying applications to App Engine flex, as various APIs are utilised in this process. By assigning the roles required for App Engine Flex deployments to a new service account, and then adding the service account to the instance, the instance then has the required authorisation to interact with other GCP APIs needed for App Engine Flex deployments.

这篇关于使用服务帐户从Compute Engine部署App Engine Flex的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！