无法使用Terraform创建Google项目 [英] Unable to create google project with Terraform
问题描述
我正在跟踪 Google GKE和SQL与terraform 教程但是我无法创建 google_project.project .我既尝试作为项目的所有者,也尝试作为教程中描述的服务.两次尝试均以此错误结束:
I'm following the Google GKE and SQL with terraform tutorial But I'm not able to create a google_project.project. I have tried both as the owner of the project and as the service described in the tutorial. Both attempts end with this error:
Error: Error applying plan:
1 error(s) occurred:
* google_project.project: 1 error(s) occurred:
* google_project.project: error creating project terraform-dev-357aa670
(terraform-dev): googleapi: Error 403: User is not authorized., forbidden.
If you received a 403 error, make sure
you have the `roles/resourcemanager.projectCreator` permission
我认为我拥有项目所有者的正确权限,但显然没有.
I would think that I had the correct permissions as the project owner, but apparently not.
这是我创建服务帐户的方式:
$ gcloud organizations add-iam-policy-binding ${TF_VAR_org_id} \ (gke_my-domain-218910_europe-west1-b_my-domain-vpc-native/default)
> --member serviceAccount:terraform@${TF_ADMIN}.iam.gserviceaccount.com \
> --role roles/resourcemanager.projectCreator
Updated IAM policy for organization [00000].
bindings:
- members:
- domain:my-domain.no
role: roles/billing.creator
- members:
- serviceAccount:terraform@my-domain-terraform-admin-3.iam.gserviceaccount.com
- serviceAccount:terraform@my-domain-terraform-admin.iam.gserviceaccount.com
role: roles/billing.user
- members:
- domain:min-familie.no
- serviceAccount:terraform@my-domain-terraform-admin-3.iam.gserviceaccount.com
- serviceAccount:terraform@my-domain-terraform-admin.iam.gserviceaccount.com
role: roles/resourcemanager.projectCreator
etag: BwWJxJTDnQs=
version: 19d
手动"创建项目是可行的. $ gcloud项目创建$ {TF_ADMIN}
.
Creating a project "manually" works.
$ gcloud projects create ${TF_ADMIN}
.
任何想法可能有什么问题吗?
Any ideas what might be wrong?
推荐答案
我遇到了完全相同的问题!
I had exact same problem!
为我解决了这个问题的步骤:
Steps that solved this problem for me:
-
将该服务帐户的密钥(使用GCP控制台)下载到:/Users/johndoe/sa.json
Downloaded the key for that Service Account (Using GCP Console) to : /Users/johndoe/sa.json
导出GOOGLE_APPLICATION_CREDENTIALS =/Users/johndoe/factory.json
export GOOGLE_APPLICATION_CREDENTIALS=/Users/johndoe/factory.json
应用地形
希望这对您有用.
在这里找到了塞思·法戈(Seth Fargo)的解决方案: https://github.com/sethvargo/vault-on-gke/issues/16
Found the solution from Seth Fargo here: https://github.com/sethvargo/vault-on-gke/issues/16
这篇关于无法使用Terraform创建Google项目的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!