通过Deploymentmanager创建GCP项目 [英] GCP project creation via deploymentmanager
问题描述
因此,我正在尝试使用Google Cloud Deployment Manager创建一个项目, 香港专业教育学院的结构大致如下:
So im trying to create a project with google cloud deployment manager, Ive structured the setup roughly as below:
# Structure
Org -> Folder1 -> Seed-Project(Location where I am running deployment manager from)
Organization:
IAM:
-> {Seed-Project-Number}@cloudservices.gserviceaccount.com:
- Compute Network Admin
- Compute Shared VPC Admin
- Organisation Viewer
- Project Creator
# DeploymentManager Resource:
type cloudresourcemanager.v1.project
name MyNewProject
parent
id: '{folder1-id}'
type: folder
projectId: MyNewProject
所需结果是应在Folder1下创建MyNewProject. 然而;似乎Deployment Manager服务帐户没有足够的权限:
The desired result is that MyNewProject should be created under Folder1. However; It appears as if the deployment manager service account does not have sufficent permissions:
$ CLOUDSDK_CORE_PROJECT=Seed-Project gcloud deployment-manager deployments \
create MyNewDeployment \
--config config.yaml \
--verbosity=debug
错误信息:
- code: RESOURCE_ERROR
location: /deployments/MyNewDeployment/resources/MyNewProject
message: '{"ResourceType":"cloudresourcemanager.v1.project",
"ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"The
caller does not have permission","status":"PERMISSION_DENIED","statusMessage":"Forbidden","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/MyNewProject","httpMethod":"GET"}}'
我已经进行了一些挖掘,似乎正在调用 resourcemanager.projects.get 方法; 计算共享的VPC管理员(roles/compute.xpnAdmin)"角色应该提供此权限,如以下文档所示:
I've done some digging, and it appears to be calling the resourcemanager.projects.get method; The 'Compute Shared VPC Admin (roles/compute.xpnAdmin)' role should provide this permission as documented here: https://cloud.google.com/iam/docs/understanding-roles
除了似乎并非如此,这是怎么回事?
Except that doesn't seem to be the case, whats going on ?
Id喜欢添加从调试工作中收集的一些其他信息: 这些是来自Deployment Manager(来自种子项目)的API请求.
Id like to add some additional information gathered from debugging efforts: These are the API requests from the deployment manager, (from the seed project).
您可以看到呼叫者是一个匿名服务帐户,这不是id希望看到的. (我希望在这里看到{Seed-Project-Number}@cloudservices.gserviceaccount.com作为主叫帐户)
You can see that the caller is an anonymous service account, this isn't what id expect to see. (Id expect to see {Seed-Project-Number}@cloudservices.gserviceaccount.com as the calling account here)
config.yaml
config.yaml
imports:
- path: composite_types/project/project.py
name: project.py
resources:
- name: MyNewProject
type: project.py
properties:
parent:
type: folder
id: "{folder1-id}"
billingAccountId: billingAccounts/REDACTED
activateApis:
- compute.googleapis.com
- deploymentmanager.googleapis.com
- pubsub.googleapis.com
serviceAccounts: []
composite_types/project/*是此处找到的模板的精确副本:
composite_types/project/* is an exact copy of the templates found here:
推荐答案
关键是这是GET操作,而不是尝试创建项目.这是为了验证请求的项目ID的全局唯一性,如果不是唯一的,则抛出PERMISSION_DENIED.
The key thing is that this is a GET operation, not an attempt to create the project. This is to verify global uniqueness of the project-id requested, and if not unique, PERMISSION_DENIED is thrown.
大量错误消息,浪费大量的开发人员时间!
Lousy error message, lots of wasted developer hours !
这篇关于通过Deploymentmanager创建GCP项目的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!