GCP - terraform 删除了所有政策,我该如何恢复 [英] GCP - terraform removed all policies, how can I revert
问题描述
我按照 terraform 运行.我错误地使用了 google_storage_bucket_iam_policy 而不是 google_storage_bucket_iam_binding 因此它没有添加新策略,而是替换了所有现有策略.
I run following terraform. I made a mistake of using google_storage_bucket_iam_policy instead of google_storage_bucket_iam_binding so instead of adding new policy, it replaced all of existing policy.
data "google_iam_policy" "deploy-script-admin-policy" {
binding {
role = "roles/storage.objectAdmin"
members = [
"serviceAccount:${google_service_account.deploy-script.email}",
]
}
}
# deploy script can read/write to a bucket
resource "google_storage_bucket_iam_policy" "policy" {
bucket = "my-bucket"
policy_data = data.google_iam_policy.deploy-script-admin-policy.policy_data
}
现在我无法运行 terraform 计划,因为我无法访问自己的存储桶.我收到类似 <my email> 之类的错误消息没有 storage.buckets.get 访问 Google Cloud Storage 存储桶的权限.,禁止.
Now I cannot run terraform plan because I lost access to my own bucket. I get error message like <my email> does not have storage.buckets.get access to the Google Cloud Storage bucket., forbidden.
我去了 GCP 控制台并尝试删除或更新此存储桶的权限,但它也不起作用,因为存储桶权限不允许它(我有所有者和 storage.admin 角色).
I went to GCP console and tried to either delete or update permission of this bucket but it won't work either since bucket permission doesn't allow it (I have owner and storage.admin role).
我该如何从这种情况中恢复过来?如果这是唯一的选择,我不介意删除存储桶.
How can I recover from this situation? I don't mind deleting the bucket if that's the only option.
编辑:我不知道发生了什么,但也许 GCP 有某种方式可以从这种情况中自动恢复.由于某种原因,我能够在一段时间后再次从控制台编辑存储桶......
EDIT: I don't know what happened, but maybe GCP has some way of auto-recover from such situation. For some reason I was able to edit bucket again from console after a while...
推荐答案
如果您有项目 IAM 管理员或其他允许您编辑 IAM 权限的角色,您可以在您的 google_storage_bucket_iam_policy.policy 资源,并且应该将权限恢复为从项目 IAM 权限继承的权限.这意味着如果您拥有 Storage Admin 权限,您应该能够再次修改存储桶权限.
If you have Project IAM Admin or some other role that enables you to edit IAM permissions, you can run terraform destroy on your google_storage_bucket_iam_policy.policy resource and that should restore the permissions to be permissions inherited from the project IAM permissions. This means that if you have the Storage Admin permission, you should be able to modify the bucket permissions again.
这篇关于GCP - terraform 删除了所有政策,我该如何恢复的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
