GCP GKE-Google计算引擎:并非所有实例都在IGM中运行 [英] GCP GKE - Google Compute Engine: Not all instances running in IGM
本文介绍了GCP GKE-Google计算引擎:并非所有实例都在IGM中运行的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
原来这是Terraform问题Terraform google_project_iam_binding deletes GCP compute engine default service account from IAM principals
下面的原始问题
尝试以具有所有者角色的用户身份创建GKE群集。但是,它会失败,并显示错误消息。已删除并重试了几次,但相同的错误。请建议如何排除故障并了解原因。
用户
登录用户
服务帐户
GKE服务帐户设置
错误
Google Compute Engine: Not all instances running in IGM after 15.945831085s.
Expected 3, running 0, transitioning 3.
Current errors:
[PERMISSIONS_ERROR]: Instance 'gke-cluster-1-default-pool-a3bd7bfb-cw7n' creation failed: Required 'compute.instances.create' permission for 'projects/412177242019/zones/us-central1-c/instances/gke-cluster-1-default-pool-a3bd7bfb-cw7n' (when acting as '412177242019@cloudservices.gserviceaccount.com');
[PERMISSIONS_ERROR]: Instance 'gke-cluster-1-default-pool-a3bd7bfb-cw7n' creation failed: Required 'compute.disks.create' permission for 'projects/412177242019/zones/us-central1-c/disks/gke-cluster-1-default-pool-a3bd7bfb-cw7n' (when acting as '412177242019@cloudservices.gserviceaccount.com');
[PERMISSIONS_ERROR]: Instance 'gke-cluster-1-default-pool-a3bd7bfb-cw7n' creation failed: Required 'compute.disks.setLabels' permission for 'projects/412177242019/zones/us-central1-c/disks/gke-cluster-1-default-pool-a3bd7bfb-cw7n' (when acting as '412177242019@cloudservices.gserviceaccount.com');
[PERMISSIONS_ERROR]: Instance 'gke-cluster-1-default-pool-a3bd7bfb-cw7n' creation failed: Required 'compute.subnetworks.use' permission for 'projects/412177242019/regions/us-central1/subnetworks/default' (when acting as '412177242019@cloudservices.gserviceaccount.com');
[PERMISSIONS_ERROR]: Instance 'gke-cluster-1-default-pool-a3bd7bfb-cw7n' creation failed: Required 'compute.subnetworks.useExternalIp' permission for 'projects/412177242019/regions/us-central1/subnetworks/default' (when acting as '412177242019@cloudservices.gserviceaccount.com') (truncated).
更新
已将";Roles/Compute.admin";添加到服务帐户。
$ gcloud iam service-accounts list
DISPLAY NAME EMAIL DISABLED
Compute Engine default service account 412177242019-compute@developer.gserviceaccount.com False
$ gcloud projects add-iam-policy-binding 'positive-theme-323611' --member=serviceAccount:412177242019-compute@developer.gserviceaccount.com --role='roles/compute.admin'
Updated IAM policy for project [positive-theme-323611].
bindings:
...
- members:
- serviceAccount:412177242019-compute@developer.gserviceaccount.com
role: roles/compute.admin
...
但是,仍然存在相同的问题。
Google Compute Engine: Not all instances running in IGM after 18.269931718s. Expected 3, running 0, transitioning 3. Current errors: [PERMISSIONS_ERROR]: Instance 'gke-cluster-4-default-pool-289807f2-5dh5' creation failed: Required 'compute.instances.create' permission for 'projects/412177242019/zones/us-central1-c/instances/gke-cluster-4-default-pool-289807f2-5dh5' (when acting as '412177242019@cloudservices.gserviceaccount.com'); [PERMISSIONS_ERROR]: Instance 'gke-cluster-4-default-pool-289807f2-5dh5' creation failed: Required 'compute.disks.create' permission for 'projects/412177242019/zones/us-central1-c/disks/gke-cluster-4-default-pool-289807f2-5dh5' (when acting as '412177242019@cloudservices.gserviceaccount.com'); [PERMISSIONS_ERROR]: Instance 'gke-cluster-4-default-pool-289807f2-5dh5' creation failed: Required 'compute.disks.setLabels' permission for 'projects/412177242019/zones/us-central1-c/disks/gke-cluster-4-default-pool-289807f2-5dh5' (when acting as '412177242019@cloudservices.gserviceaccount.com'); [PERMISSIONS_ERROR]: Instance 'gke-cluster-4-default-pool-289807f2-5dh5' creation failed: Required 'compute.subnetworks.use' permission for 'projects/412177242019/regions/us-central1/subnetworks/default' (when acting as '412177242019@cloudservices.gserviceaccount.com'); [PERMISSIONS_ERROR]: Instance 'gke-cluster-4-default-pool-289807f2-5dh5' creation failed: Required 'compute.subnetworks.useExternalIp' permission for 'projects/412177242019/regions/us-central1/subnetworks/default' (when acting as '412177242019@cloudservices.gserviceaccount.com') (truncated).
相关
推荐答案
您面临权限错误,因为服务帐户没有正确的iam权限。根据给定的信息,您已将culte.admin角色添加到计算引擎默认服务帐户,但没有添加到此服务帐户
412177242019@cloudservices.gserviceaccount.com
。
Service Account User授予Google Cloud用户帐户执行操作的权限,就像服务帐户正在执行操作一样。
将
iam.serviceAccountUser
角色授予项目的用户将授予该用户授予项目中所有服务帐户的所有角色,包括将来可能创建的服务帐户。将
iam.serviceAccountUser
角色授予特定服务帐户的用户将获得授予该服务帐户的所有角色。
roles/iam.serviceAccountUser
)和编辑者角色(roles/editor
)。
这篇关于GCP GKE-Google计算引擎:并非所有实例都在IGM中运行的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文