Dataproc操作失败:INVALID_ARGUMENT:用户无权充当服务帐户 [英] Dataproc operation failure: INVALID_ARGUMENT: User not authorized to act as service account
问题描述
我正在尝试从Cloud Data Fusion运行管道,但是我收到以下错误:
I'm tring to run a pipeline from Cloud Data Fusion, but im receiving the following error:
io.cdap.cdap.runtime.spi.provisioner.dataproc.DataprocRuntimeException: Dataproc operation failure: INVALID_ARGUMENT: User not authorized to act as service account 'XXXXXXXX-compute@developer.gserviceaccount.com'. To act as a service account, user must have one of [Owner, Editor, Service Account Actor] roles. See https://cloud.google.com/iam/docs/understanding-service-accounts for additional details.
有人已经遇到此错误吗?
Someone already encountered this error?
推荐答案
此错误与缺少 服务帐户用户角色 ( roles/iam.serviceAccountUser )与用于运行DataProc作业的用户/服务帐户相关联.
This error is related to the lack of Service Account user role (roles/iam.serviceAccountUser) associate to the user/service account used to run the DataProc job.
为了解决此错误,您需要转到IAM策略控制台,并赋予服务帐户用户角色,如
In order to overcome this error, you need to go to the IAM Policy Console and give the Service Account User role, as described here, to the current user/service account you are using to run the job. As exemplified below:
- 转到IAM&管理控制台
- 点击IAM
- 选择您要用来执行工作的成员
- 点击会员信息右侧的 pen 图标
- 添加服务帐户用户角色
指出一些重要主题时,服务帐户用于通过服务帐户本身或其中的委派用户进行授权的API调用.此外,关于模拟服务帐户,具有特定权限的用户可以充当另一个具有执行特定作业所需权限的服务帐户.
Pointing out some important topics, service accounts are used to make authorised API calls, through the service account itself or through delegated users within it. Moreover, about impersonation service accounts, an user with particular permissions can act as another service account with the necessary permission to execute a specific job.
注意:在步骤3中,您还可以通过单击为特定用户(电子邮件)提供 roles/iam.serviceAccountUser + ADD (在控制台顶部).然后,编写电子邮件并选择权限.虽然,我必须强调,将在项目级别给予此许可.因此,该用户将可以模拟任何现有的服务帐户.
Note: in step 3, you can also give to a particular user(email) the roles/iam.serviceAccountUser by clicking on +ADD (in top of the console). Then, writing the email and selecting the permission. Although, I must stress that this permission would be given at a project level. Thus, this user will be able to impersonate any of the existent Service Accounts.
这篇关于Dataproc操作失败:INVALID_ARGUMENT:用户无权充当服务帐户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
