GCP GKE-Google计算引擎：并非所有实例都在IGM中运行 [英] GCP GKE - Google Compute Engine: Not all instances running in IGM

问题描述

原来这是Terraform问题Terraform google_project_iam_binding deletes GCP compute engine default service account from IAM principals

---

下面的原始问题

尝试以具有所有者角色的用户身份创建GKE群集。但是，它会失败，并显示错误消息。已删除并重试了几次，但相同的错误。

请建议如何排除故障并了解原因。

用户

登录用户

服务帐户

GKE服务帐户设置

错误

Google Compute Engine: Not all instances running in IGM after 15.945831085s. 
Expected 3, running 0, transitioning 3. 
Current errors: 
[PERMISSIONS_ERROR]: Instance 'gke-cluster-1-default-pool-a3bd7bfb-cw7n' creation failed: Required 'compute.instances.create' permission for 'projects/412177242019/zones/us-central1-c/instances/gke-cluster-1-default-pool-a3bd7bfb-cw7n' (when acting as '412177242019@cloudservices.gserviceaccount.com'); 
[PERMISSIONS_ERROR]: Instance 'gke-cluster-1-default-pool-a3bd7bfb-cw7n' creation failed: Required 'compute.disks.create' permission for 'projects/412177242019/zones/us-central1-c/disks/gke-cluster-1-default-pool-a3bd7bfb-cw7n' (when acting as '412177242019@cloudservices.gserviceaccount.com'); 
[PERMISSIONS_ERROR]: Instance 'gke-cluster-1-default-pool-a3bd7bfb-cw7n' creation failed: Required 'compute.disks.setLabels' permission for 'projects/412177242019/zones/us-central1-c/disks/gke-cluster-1-default-pool-a3bd7bfb-cw7n' (when acting as '412177242019@cloudservices.gserviceaccount.com'); 
[PERMISSIONS_ERROR]: Instance 'gke-cluster-1-default-pool-a3bd7bfb-cw7n' creation failed: Required 'compute.subnetworks.use' permission for 'projects/412177242019/regions/us-central1/subnetworks/default' (when acting as '412177242019@cloudservices.gserviceaccount.com'); 
[PERMISSIONS_ERROR]: Instance 'gke-cluster-1-default-pool-a3bd7bfb-cw7n' creation failed: Required 'compute.subnetworks.useExternalIp' permission for 'projects/412177242019/regions/us-central1/subnetworks/default' (when acting as '412177242019@cloudservices.gserviceaccount.com') (truncated).

更新

已将"；Roles/Compute.admin"；添加到服务帐户。

$ gcloud iam service-accounts list
DISPLAY NAME                            EMAIL                                                                    DISABLED
Compute Engine default service account  412177242019-compute@developer.gserviceaccount.com                       False

$ gcloud projects add-iam-policy-binding 'positive-theme-323611' --member=serviceAccount:412177242019-compute@developer.gserviceaccount.com --role='roles/compute.admin'
Updated IAM policy for project [positive-theme-323611].
bindings:
...
- members:
  - serviceAccount:412177242019-compute@developer.gserviceaccount.com
  role: roles/compute.admin
...

但是，仍然存在相同的问题。

Google Compute Engine: Not all instances running in IGM after 18.269931718s. Expected 3, running 0, transitioning 3. Current errors: [PERMISSIONS_ERROR]: Instance 'gke-cluster-4-default-pool-289807f2-5dh5' creation failed: Required 'compute.instances.create' permission for 'projects/412177242019/zones/us-central1-c/instances/gke-cluster-4-default-pool-289807f2-5dh5' (when acting as '412177242019@cloudservices.gserviceaccount.com'); [PERMISSIONS_ERROR]: Instance 'gke-cluster-4-default-pool-289807f2-5dh5' creation failed: Required 'compute.disks.create' permission for 'projects/412177242019/zones/us-central1-c/disks/gke-cluster-4-default-pool-289807f2-5dh5' (when acting as '412177242019@cloudservices.gserviceaccount.com'); [PERMISSIONS_ERROR]: Instance 'gke-cluster-4-default-pool-289807f2-5dh5' creation failed: Required 'compute.disks.setLabels' permission for 'projects/412177242019/zones/us-central1-c/disks/gke-cluster-4-default-pool-289807f2-5dh5' (when acting as '412177242019@cloudservices.gserviceaccount.com'); [PERMISSIONS_ERROR]: Instance 'gke-cluster-4-default-pool-289807f2-5dh5' creation failed: Required 'compute.subnetworks.use' permission for 'projects/412177242019/regions/us-central1/subnetworks/default' (when acting as '412177242019@cloudservices.gserviceaccount.com'); [PERMISSIONS_ERROR]: Instance 'gke-cluster-4-default-pool-289807f2-5dh5' creation failed: Required 'compute.subnetworks.useExternalIp' permission for 'projects/412177242019/regions/us-central1/subnetworks/default' (when acting as '412177242019@cloudservices.gserviceaccount.com') (truncated).

相关

• Building a GKE cluster on GCP with Terraform permission error

推荐答案

您面临权限错误，因为服务帐户没有正确的iam权限。根据给定的信息，您已将culte.admin角色添加到计算引擎默认服务帐户，但没有添加到此服务帐户 412177242019@cloudservices.gserviceaccount.com。

Service Account User授予Google Cloud用户帐户执行操作的权限，就像服务帐户正在执行操作一样。

• 将iam.serviceAccountUser角色授予项目的用户将授予该用户授予项目中所有服务帐户的所有角色，包括将来可能创建的服务帐户。

• 将iam.serviceAccountUser角色授予特定服务帐户的用户将获得授予该服务帐户的所有角色。

服务帐户是标识，您可以通过向服务帐户授予角色来允许其访问项目中的资源，就像您对任何其他主体所做的那样。此服务帐户应具有提供广泛权限的编辑者角色。您正在使用的服务帐户没有所需的ServiceAccountUser角色(roles/iam.serviceAccountUser)和编辑者角色(roles/editor)。

这篇关于GCP GKE-Google计算引擎：并非所有实例都在IGM中运行的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！