Terraform GCP虚拟机实例创建-错误403 [英] Terraform GCP vm instance create - Error 403

问题描述

这是我第一次尝试通过terraform在GCP上创建VM.这是我创建的2个文件.

this is my first try to create VM on GCP Through terraform. here are the 2 files which i created.

provider.tf

provider.tf

provider "google" {
credentials = "${file("xxxxxx.json")}"
project = "project-1-200623"
region = "us-central1"
}

compute.tf

compute.tf

# Create a new instance
resource "google_compute_instance" "default" {
   name = "test"
   machine_type = "n1-standard-1"
   zone = "us-central1-a"
   boot_disk {
      initialize_params {
      image = "debian-cloud/debian-8"
   }
}
network_interface {
   network = "default"
   access_config {}
}

service_account {
   scopes = ["userinfo-email", "compute-ro", "storage-ro"]
   }
}

I am getting below error:

Error: Error applying plan:

1 error(s) occurred:

* google_compute_instance.default: 1 error(s) occurred:

* google_compute_instance.default: Error loading zone 'us-central1-a': googleapi: Error 403: Required 'compute.zones.get' permission for 'projects/project-1-200623/zones/us-central1-a', forbidden.

In

最初，我认为vm映像存在一些语法问题，但是即使更改为多个其他相同问题也是如此.服务帐户对项目拥有所有者权限，因此我可以排除.有人可以帮我吗..

itially i thought some syntax issue with vm image but even after changing to multiple others same issue. service account has owner permissions on project so thats i can rule out. can some one please help me here..

感谢帮助！

推荐答案

Terraform需要组织管理员权限

Terraform needs the organization admin permission

这是添加此权限的步骤:

this is the steps to add this permission:

1. 以Google Workspace或Cloud Identity超级管理员身份登录Google Cloud Console，然后导航到IAM&管理员页面:转到管理页面

2.选择要编辑的组织:

2.Select the organization you want to edit:

a.单击页面顶部的项目下拉列表.

a. Click the project drop-down list at the top of the page.

b..在选择自对话框中，单击组织下拉列表，然后选择要向其中添加组织管理员的组织.

b. In the Select from dialog, click the organization drop-down list, and select the organization to which you want to add an Organization admin.

c..在显示的列表中，单击组织以打开其 IAM权限页面.

c. On the list that appears, click the organization to open its IAM Permissions page.

1. 点击添加，然后输入一个或多个用户的电子邮件地址您想要设置为组织管理员.

1. Click Add, and then enter the email address of one or more users you want to set as organization administrators.

4.在选择角色下拉列表中，选择资源管理器>组织管理员，然后单击保存.

4.In the Select a role drop-down list, select Resource Manager > Organization Administrator, and then click Save.

组织管理员可以执行以下操作:

The Organization admin can do the following:

• 完全控制组织.责任分工在Google Workspace或Cloud Identity超级管理员与Google Cloud管理员已建立.

• Take full control of the organization. Separation of responsibilities between Google Workspace or Cloud Identity super administrator and Google Cloud administrator is established.

通过分配
来委派关键功能的责任相关的IAM角色.

Delegate responsibility over critical functions by assigning the
relevant IAM roles.

我建议您创建一个不同的服务帐户以使您的项目分开，您可以检查如何创建服务帐户

I recommend you create a different service account to keep your projects separate, you can check how to create your service account here

这篇关于Terraform GCP虚拟机实例创建-错误403的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！