Cloud Build无法部署到Google App Engine-您无权充当@ appspot.gserviceaccount.com [英] Cloud Build fails to deploy to Google App Engine - You do not have permission to act as @appspot.gserviceaccount.com

问题描述

今天早上，我进行了一次PR，该PR在我的登台环境中触发了Cloud Build，但是未能将结果部署到GAE.

This morning I made a PR which triggered a Cloud Build for my staging enviroment but failed to deploy the results to GAE.

错误如下:

错误:(gcloud.app.deploy)PERMISSION_DENIED:您无权充当"[redacted] @ appspot.gserviceaccount.com" 步骤#4:-'@type':type.googleapis.com/google.rpc.ResourceInfo 步骤#4:说明:您无权充当此服务帐户. 步骤#4:resourceName:[已编辑] @ appspot.gserviceaccount.com 步骤#4:resourceType:serviceAccount

ERROR: (gcloud.app.deploy) PERMISSION_DENIED: You do not have permission to act as '[redacted]@appspot.gserviceaccount.com' Step #4: - '@type': type.googleapis.com/google.rpc.ResourceInfo Step #4: description: You do not have permission to act as this service account. Step #4: resourceName: [redacted]@appspot.gserviceaccount.com Step #4: resourceType: serviceAccount

当我查看 https://console.cloud.google时. com/cloud-build/settings/service-account 云构建具有以下服务帐户权限已启用:

When I look at https://console.cloud.google.com/cloud-build/settings/service-account Cloud build has the follow service account permissions ENABLED:

• App Engine管理员
• Cloud KMS

检查 https://console.cloud.google.com/iam-admin/iam 我可以看到cloudbuild服务帐户具有以下角色:

Checking https://console.cloud.google.com/iam-admin/iam I can see that the cloudbuild service account has the following roles:

• App Engine管理员
• App Engine Deployer
• 云构建服务帐户
• Cloud KMS CryptoKey Decrypter

推荐答案

根据提供的错误，看来您需要向服务帐户中添加一些委托.这意味着该服务帐户可以代表另一个服务帐户执行操作.不要在项目级别添加此权限，因为它会带来安全风险！在下面，您可以找到有关如何在另一个服务帐户上添加roles/iam.serviceAccountUser的示例.

According to the provided error, it seems like you need to add some delegation to your service account. This means that the service account can act on behalf of another service account. Do not add this permission on the project level, since it poses a security risk! Below you can find an example of how to add roles/iam.serviceAccountUser on another service account.

PROJECT_ID=xxxxxx

PROJECT_NUMBER=$(gcloud projects list \
  --format="value(projectNumber)" \
  --filter="projectId=${PROJECT_ID}")

gcloud iam service-accounts add-iam-policy-binding \
    ${PROJECT_ID}@appspot.gserviceaccount.com \
    --member=serviceAccount:${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com \
    --role=roles/iam.serviceAccountUser \
    --project=${PROJECT_ID}

总而言之，服务帐户必须具有iam.serviceAccounts.actAs权限，该权限包含在roles/iam.serviceAccountUser角色中.可以在此处找到.

To summarize, the service account must have the iam.serviceAccounts.actAs permission, which is included in the roles/iam.serviceAccountUserrole. Updated Google documentation can be found here.

这篇关于Cloud Build无法部署到Google App Engine-您无权充当@ appspot.gserviceaccount.com的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！