无法使用 Terraform 创建谷歌项目 [英] Unable to create google project with Terraform

问题描述

我正在关注 Google GKE 和 SQLterraform 教程但我无法创建 google_project.project.我已经尝试过作为项目的所有者和教程中描述的服务.两次尝试都以这个错误结束:

I'm following the Google GKE and SQL with terraform tutorial But I'm not able to create a google_project.project. I have tried both as the owner of the project and as the service described in the tutorial. Both attempts end with this error:

Error: Error applying plan:

1 error(s) occurred:

* google_project.project: 1 error(s) occurred:

* google_project.project: error creating project terraform-dev-357aa670 
 (terraform-dev): googleapi: Error 403: User is not authorized., forbidden. 
  If you received a 403 error, make sure 
  you have the `roles/resourcemanager.projectCreator` permission

我认为我作为项目所有者拥有正确的权限，但显然没有.

I would think that I had the correct permissions as the project owner, but apparently not.

以下是我创建服务帐户的方式:

$ gcloud organizations add-iam-policy-binding ${TF_VAR_org_id}                                 (gke_my-domain-218910_europe-west1-b_my-domain-vpc-native/default)
> --member serviceAccount:terraform@${TF_ADMIN}.iam.gserviceaccount.com 
> --role roles/resourcemanager.projectCreator
Updated IAM policy for organization [00000].
bindings:
- members:
  - domain:my-domain.no
  role: roles/billing.creator
- members:
  - serviceAccount:terraform@my-domain-terraform-admin-3.iam.gserviceaccount.com
  - serviceAccount:terraform@my-domain-terraform-admin.iam.gserviceaccount.com
  role: roles/billing.user
- members:
  - domain:min-familie.no
  - serviceAccount:terraform@my-domain-terraform-admin-3.iam.gserviceaccount.com
  - serviceAccount:terraform@my-domain-terraform-admin.iam.gserviceaccount.com
  role: roles/resourcemanager.projectCreator
etag: BwWJxJTDnQs=
version: 19d

手动"创建项目是可行的.$ gcloud 项目创建 ${TF_ADMIN}.

Creating a project "manually" works. $ gcloud projects create ${TF_ADMIN}.

有什么想法可能是错的吗?

Any ideas what might be wrong?

推荐答案

我遇到了完全相同的问题！

I had exact same problem!

为我解决此问题的步骤:

Steps that solved this problem for me:

1. 将该服务帐户的密钥(使用 GCP 控制台)下载到:/Users/johndoe/sa.json

1. Downloaded the key for that Service Account (Using GCP Console) to : /Users/johndoe/sa.json

导出 GOOGLE_APPLICATION_CREDENTIALS=/Users/johndoe/factory.json

export GOOGLE_APPLICATION_CREDENTIALS=/Users/johndoe/factory.json

地形应用

希望这对你有用.

在这里找到了赛斯法戈的解决方案:https://github.com/sethvargo/vault-on-gke/issues/16

Found the solution from Seth Fargo here: https://github.com/sethvargo/vault-on-gke/issues/16

这篇关于无法使用 Terraform 创建谷歌项目的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！