无法在GCP Cloud Scheduler上创建作业 [英] Can't create job on GCP Cloud Scheduler

问题描述

当我尝试在GCP Cloud Scheduler中创建作业时，出现此错误:

When I try to create a job in the GCP Cloud Scheduler I get this error:

{错误":{代码":7，消息":主体(用户或服务帐户)缺少资源\"[我的服务帐户]的IAM权限\" iam.serviceAccounts.actAs \"\(或资源可能不存在)."}}

{"error":{"code":7,"message":"The principal (user or service account) lacks IAM permission \"iam.serviceAccounts.actAs\" for the resource \"[my service account]\" (or the resource may not exist)."}}

启用GCP Cloud Scheduler后，便创建了服务帐户(并且可以在我的帐户列表中看到它).我已经验证它具有"Cloud Scheduler Service Agent"角色.

When I enabled the GCP Cloud Scheduler the service account was created (and I can see it in my accounts list). I have verified that it has the "Cloud Scheduler Service Agent" role.

我以项目所有者的身份登录.当我尝试创建作业时，出现此错误.我试图将服务帐户用户"添加到我的主要帐户，但无济于事.

I am logged in as an Owner of our project. It is when I try to create the job that I get this error. I tried to add the "Service Account User" to my principal account, but to no avail.

有人知道我是否必须添加任何其他权限吗?还是我必须允许我的校长以某种方式行事(假冒?)这个服务帐户?

Does anyone know if I have to add any additional permissions? Or if I have to allow my principal to act (impersonate?) this service account in some way?

非常感谢. 本

推荐答案

好，我知道了.如果您以某种方式阅读/知道GCP IAM的工作原理，那么该文档就很清晰(在我看来是这样).

Ok I figured this out. The documentation is (sort of, in my view) clear if you read it in a certain way / know how GCP IAM works.

您实际上需要两个服务帐户.您需要自己设置的名称(可以是您喜欢的任何名称，并且不需要任何特殊权限)，并且还需要Cloud Scheduler本身的名称.

You actually need two service accounts. You need one that you set up yourself (can be whatever name you like and doesn't require any special permissions) and you also need the one for Cloud Scheduler itself.

不要混淆两者.并使用您在指定服务帐户时创建的密码生成OAuth/OICD令牌.

Don't confuse the two. And use the one that you created when specifying the service account to generate the OAuth / OICD tokens.

这篇关于无法在GCP Cloud Scheduler上创建作业的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！