不断获取权限错误gcloud.container.clusters.get-credentials [英] Keep getting permissions error gcloud.container.clusters.get-credentials

问题描述

我正在尝试将CircleCi与gcloud Kubernetes引擎集成.

I am trying to integrate CircleCi with gcloud Kubernetes engine.

1. 我创建了一个具有Kubernetes Engine开发人员和Storage Admin角色的服务帐户.
2. 创建CircleCi yaml文件并配置CI.

我的yaml文件的一部分包括:

Part of my yaml file includes:

docker:
            - image: google/cloud-sdk
        environment:
            - PROJECT_NAME: 'my-project'
            - GOOGLE_PROJECT_ID: 'my-project-112233'
            - GOOGLE_COMPUTE_ZONE: 'us-central1-a'
            - GOOGLE_CLUSTER_NAME: 'my-project-bed'
        steps:
            - checkout
            - run:
                  name: Setup Google Cloud SDK
                  command: |
                      apt-get install -qq -y gettext
                      echo $GCLOUD_SERVICE_KEY > ${HOME}/gcloud-service-key.json
                      gcloud auth activate-service-account --key-file=${HOME}/gcloud-service-key.json
                      gcloud --quiet config set project ${GOOGLE_PROJECT_ID}
                      gcloud --quiet config set compute/zone ${GOOGLE_COMPUTE_ZONE}
                      gcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME}

除最后一个命令外，一切运行正常:

Everything runs perfectly except that the last command:

gcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME}

它不断失败并显示错误:

It keeps failing with the error:

ERROR: (gcloud.container.clusters.get-credentials) ResponseError: code=403, message=Required "container.clusters.get" permission(s) for "projects/my-project-112233/zones/us-central1-a/clusters/my-project-bed". See https://cloud.google.com/kubernetes-engine/docs/troubleshooting#gke_service_account_deleted for more info.

我试图让ci帐户担任项目所有者，但仍然遇到该错误.

I tried to give the ci account the role of project owner but I still got that error.

我尝试禁用并重新启用Kubernetes服务，但没有帮助.

I tried to disable and re-enable the Kubernetes Service but it didn't help.

有什么办法解决这个问题吗?我想解决4天...

Any idea how to solve this? I am trying to solve it for 4 days...

推荐答案

我认为它不是CI服务帐户，而是用于管理GKE集群的k8s服务帐户，该帐户的电子邮件应如下所示(有人必须将其删除) ):

I believe it's not the CI Service account but the k8s service account used to manage your GKE cluster, where its email should look like this (Somebody must have deleted it):

k8s-service-account@<project-id>.iam.gserviceaccount.com

您可以重新创建它并为其授予项目所有者权限.

You can re-create it an give it project owner permissions.

这篇关于不断获取权限错误gcloud.container.clusters.get-credentials的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！