无法作为服务帐户部署到Google Cloud Run [英] Cannot deploy as a service account to google cloud run
问题描述
我正在努力为服务帐户启用向云运行的部署.我的逻辑看起来像:
I am struggling to enable deploying to cloud run for a service account. My logic looks something like:
gcloud auth activate-service-account \
cloud-run-deployer@my-project.iam.gserviceaccount.com \
--key-file=my-project-123123213.json
gcloud run deploy my-project-action \
--image "gcr.io/my-project/my-project-action:dev" \
--project my-project \
--verbosity debug \
--region us-central1 \
--allow-unauthenticated \
--platform managed
此操作失败,并显示以下信息:
This fails with:
HttpForbiddenError: HttpError accessing <https://us-central1-run.googleapis.com/apis/serving.knative.dev/v1/namespaces/my-project/services/my-project-action?alt=json>: response: <{'status': '403', 'content-length': '126', 'x-xss-protection': '0', 'x-content-type-options': 'nosniff', 'transfer-encoding': 'chunked', 'vary': 'Origin, X-Origin, Referer', 'server': 'ESF', '-content-encoding': 'gzip', 'cache-control': 'private', 'date': 'Wed, 01 Jan 2020 23:08:29 GMT', 'x-frame-options': 'SAMEORIGIN', 'alt-svc': 'quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000', 'content-type': 'application/json; charset=UTF-8'}>, content <{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
>
ERROR: (gcloud.run.deploy) PERMISSION_DENIED: The caller does not have permission
我已按照步骤 https://cloud. google.com/run/docs/reference/iam/roles#additional-configuration 用于我的服务帐户.例如.它具有项目级别roles/run.admin和roles/iam.serviceAccountUser.我也尝试为项目提供roles/editor或roles/owner,但结果相同.我可以在123213123123-compute@developer.gserviceaccount.com用户上看到cloud-run-deployer@my-project.iam.gserviceaccount.com是服务帐户用户.
I have followed the steps https://cloud.google.com/run/docs/reference/iam/roles#additional-configuration for my service account. eg. it has project level roles/run.admin and roles/iam.serviceAccountUser. I have also tried giving it roles/editor or roles/owner for the project, but same result. I can see on my 123213123123-compute@developer.gserviceaccount.com user that cloud-run-deployer@my-project.iam.gserviceaccount.com is a service account user.
如果我通过gcloud auth login进行身份验证,则可以使用相同的deploy命令进行部署.
I can deploy with the same deploy command if I authenticate as myself with gcloud auth login.
使用cloud-run-deployer@my-project.iam.gserviceaccount.com和相同的auth方法,我能够将新的docker映像推送到容器注册表,因此我认为auth进程有效,但是我缺少一些权限或某些用于云运行部署的权限.
Using cloud-run-deployer@my-project.iam.gserviceaccount.com and the same auth method, I am able to push new docker images to the container registry, so I think the auth process works, but I am missing some permission or something for cloud run deploy.
顺便说一句,我正在从cloud-sdk泊坞窗映像进行部署.
BTW I am deploying from cloud-sdk docker image.
推荐答案
我试图重现该问题,并且可以说这对我有用.与Google Cloud中的其他服务一样,Google Cloud Run的问题在于它们使用服务身份.
I tried to reproduce the issue, and I can say that is working for me. The problem with Google Cloud Run, as with other services in Google Cloud, is that they use service identity.
在执行期间,Cloud Run修订版使用服务帐户作为其标识.这意味着,当您的代码使用Google Cloud客户端库时,它将自动从当前Cloud Run修订版的运行时服务帐户获取和使用凭据.此策略称为应用程序默认凭据".
During its execution, a Cloud Run revision uses a service account as its identity. This means that when your code uses Google Cloud client libraries, it automatically obtains and uses credentials from the runtime service account of the current Cloud Run revision. This strategy is called "Application Default Credentials".
如此处所述,默认值:
Cloud Run修订版使用 Compute Engine默认服务帐户(PROJECT_NUMBER-compute@developer.gserviceaccount.com),该帐户具有项目">编辑器" IAM角色.这意味着默认情况下,您的Cloud Run修订版具有对Google Cloud项目中所有资源的读写访问权限.
Cloud Run revisions are using the Compute Engine default service account (PROJECT_NUMBER-compute@developer.gserviceaccount.com), which has the Project > Editor IAM role. This means that by default, your Cloud Run revisions have read and write access to all resources in your Google Cloud project.
这意味着如果需要,您可以使用计算引擎默认服务帐户来进行部署.还建议通过
This means that you could use the compute Engine default service account in order to make the deploy if you would like to. It is also recommended granting more granular permissions to each of your Cloud Run services by assigning dedicated service accounts with more restricted IAM roles.
如果您想创建一个新的服务帐户并将其用作将容器部署到Google Cloud Run的帐户,则需要:
If you would like to create a new service account and used it as your account for deploying containers to Google Cloud Run, you will need to:
-
创建具有权限的服务帐户您在问题中提到的进行部署.通常,您将需要:
- 角色/run.admin ,其中提供
run.services.create和run.services.update. - roles/iam.serviceAccountUser 给出
iam.serviceAccounts.actAs
- roles/run.admin which gives
run.services.createandrun.services.update. - roles/iam.serviceAccountUser which gives
iam.serviceAccounts.actAs
这最后一个是最重要的.由于您想使用非默认服务身份,因此帐户或部署者必须对正在部署的服务帐户具有iam.serviceAccounts.actAs权限,如您所见
This last one is the most important. Since you would like to use non-default services identities, the account or deployer must have the iam.serviceAccounts.actAs permission on the service account being deployed, as you can see here.
- Once your service account has this permissions, you could deploy a new service with the service account (a non-default identity) using the command you provided, but adding the
--service-accountflag, as shown here:
gcloud run deploy my-project-action \
--image "gcr.io/my-project/my-project-action:dev" \
--project my-project \
--verbosity debug \
--region us-central1 \
--allow-unauthenticated \
--platform managed \
--service-account [SERVICE_ACCOUNT]
它应该与gcloud run deploy一起使用,但如果不行,您也可以尝试gcloud beta run deploy.
It should work with gcloud run deploy, but in case not, you can also try gcloud beta run deploy.
您可能会看到有关--service-account标志在此,但在摘要中:
You could see further information about the --service-account flag here, but in summary:
与服务修订版关联的IAM服务帐户的电子邮件地址.服务帐户代表正在运行的修订的身份,并确定该修订具有什么权限. 如果未提供,则修订将使用项目的默认服务帐户.
希望对您有帮助.
这篇关于无法作为服务帐户部署到Google Cloud Run的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
