通过Deploymentmanager创建GCP项目 [英] GCP project creation via deploymentmanager

问题描述

因此，我正在尝试使用Google Cloud Deployment Manager创建一个项目， 香港专业教育学院的结构大致如下:

So im trying to create a project with google cloud deployment manager, Ive structured the setup roughly as below:

# Structure
Org -> Folder1 -> Seed-Project(Location where I am running deployment manager from)

Organization:
  IAM:
    -> {Seed-Project-Number}@cloudservices.gserviceaccount.com:
        - Compute Network Admin
        - Compute Shared VPC Admin
        - Organisation Viewer
        - Project Creator

# DeploymentManager Resource:
type    cloudresourcemanager.v1.project
name    MyNewProject
parent  
  id: '{folder1-id}'
  type: folder
projectId: MyNewProject

所需结果是应在Folder1下创建MyNewProject. 然而;似乎Deployment Manager服务帐户没有足够的权限:

The desired result is that MyNewProject should be created under Folder1. However; It appears as if the deployment manager service account does not have sufficent permissions:

$ CLOUDSDK_CORE_PROJECT=Seed-Project gcloud deployment-manager deployments \
  create MyNewDeployment \
  --config config.yaml \
  --verbosity=debug

错误信息:

- code: RESOURCE_ERROR
  location: /deployments/MyNewDeployment/resources/MyNewProject
  message: '{"ResourceType":"cloudresourcemanager.v1.project",
             "ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"The
    caller does not have permission","status":"PERMISSION_DENIED","statusMessage":"Forbidden","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/MyNewProject","httpMethod":"GET"}}'

我已经进行了一些挖掘，似乎正在调用 resourcemanager.projects.get 方法； 计算共享的VPC管理员(roles/compute.xpnAdmin)"角色应该提供此权限，如以下文档所示:

I've done some digging, and it appears to be calling the resourcemanager.projects.get method; The 'Compute Shared VPC Admin (roles/compute.xpnAdmin)' role should provide this permission as documented here: https://cloud.google.com/iam/docs/understanding-roles

除了似乎并非如此，这是怎么回事?

Except that doesn't seem to be the case, whats going on ?

Id喜欢添加从调试工作中收集的一些其他信息: 这些是来自Deployment Manager(来自种子项目)的API请求.

Id like to add some additional information gathered from debugging efforts: These are the API requests from the deployment manager, (from the seed project).

您可以看到呼叫者是一个匿名服务帐户，这不是id希望看到的. (我希望在这里看到{Seed-Project-Number}@cloudservices.gserviceaccount.com作为主叫帐户)

You can see that the caller is an anonymous service account, this isn't what id expect to see. (Id expect to see {Seed-Project-Number}@cloudservices.gserviceaccount.com as the calling account here)

config.yaml

config.yaml

imports:
  - path: composite_types/project/project.py
    name: project.py

resources:
  - name: MyNewProject
    type: project.py
    properties:
      parent:
        type: folder
        id: "{folder1-id}"
      billingAccountId: billingAccounts/REDACTED
      activateApis:
        - compute.googleapis.com
        - deploymentmanager.googleapis.com
        - pubsub.googleapis.com
      serviceAccounts: []

composite_types/project/*是此处找到的模板的精确副本:

composite_types/project/* is an exact copy of the templates found here:

https://github.com/GoogleCloudPlatform/deploymentmanager-samples/tree/master/community/cloud-foundation/templates/project

推荐答案

关键是这是GET操作，而不是尝试创建项目.这是为了验证请求的项目ID的全局唯一性，如果不是唯一的，则抛出PERMISSION_DENIED.

The key thing is that this is a GET operation, not an attempt to create the project. This is to verify global uniqueness of the project-id requested, and if not unique, PERMISSION_DENIED is thrown.

大量错误消息，浪费大量的开发人员时间！

Lousy error message, lots of wasted developer hours !

这篇关于通过Deploymentmanager创建GCP项目的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！