无法从Google Compute Engine元数据服务检索令牌。状态:404 [英] Failed to retrieve token from the Google Compute Engine metadata service. Status: 404
本文介绍了无法从Google Compute Engine元数据服务检索令牌。状态:404的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在尝试设置Cloud SQL Proxy在我的GKE集群中作为侧车运行。配置是通过Terraform完成的。我已经设置了工作负载标识、所需的服务帐户等。从GKE集群(kubectl run -it --image google/cloud-sdk:slim --serviceaccount ksa-name --namespace k8s-namespace workload-identity-test)中启动./CLOUD_SQL_PROXY时,我得到以下输出:
root@workload-identity-test:/# ./cloud_sql_proxy -instances=project-id:europe-west4:db-instance=tcp:5432
2020/11/24 17:18:39 current FDs rlimit set to 1048576, wanted limit is 8500. Nothing to do here.
2020/11/24 17:18:40 GcloudConfig: error reading config: exit status 1; stderr was:
ERROR: (gcloud.config.config-helper) There was a problem refreshing your current auth tokens: ("Failed to retrieve http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/db-proxy@project-id.iam.gserviceaccount.com/token from the Google Compute Enginemetadata service. Status: 404 Response:
b'Unable to generate access token; IAM returned 404 Not Found: Requested entity was not found.\n'", <google_auth_httplib2._Response object at 0x7fc5575545f8>)
Please run:
$ gcloud auth login
to obtain new credentials.
If you have already logged in with a different account:
$ gcloud config set account ACCOUNT
to select an already authenticated account to use.
2020/11/24 17:18:41 GcloudConfig: error reading config: exit status 1; stderr was:
ERROR: (gcloud.config.config-helper) There was a problem refreshing your current auth tokens: ("Failed to retrieve http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/db-proxy@project-id.iam.gserviceaccount.com/token from the Google Compute Enginemetadata service. Status: 404 Response:
b'Unable to generate access token; IAM returned 404 Not Found: Requested entity was not found.\n'", <google_auth_httplib2._Response object at 0x7f06f72f45c0>)
Please run:
$ gcloud auth login
to obtain new credentials.
If you have already logged in with a different account:
$ gcloud config set account ACCOUNT
to select an already authenticated account to use.
2020/11/24 17:18:41 errors parsing config:
Get "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/europe-west4~db-instance?alt=json&prettyPrint=false": metadata: GCE metadata "instance/service-accounts/default/token?scopes=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fsqlservice.admin" not defined
以下是我到目前为止所做的故障排除:
root@workload-identity-test:/# gcloud auth list
Credentialed Accounts
ACTIVE ACCOUNT
* db-proxy@project-id.iam.gserviceaccount.com
To set the active account, run:
$ gcloud config set account `ACCOUNT`
λ gcloud container clusters describe mycluster --format="value(workloadIdentityConfig.workloadPool)"
project-id.svc.id.goog
λ gcloud container node-pools describe mycluster-node-pool --cluster=mycluster --format="value(config.workloadMetadataConfig.mode)"
GKE_METADATA
λ gcloud container node-pools describe mycluster-node-pool --cluster=mycluster--format="value(config.oauthScopes)"
https://www.googleapis.com/auth/monitoring;https://www.googleapis.com/auth/devstorage.read_only;https://www.googleapis.com/auth/logging.write;https://www.googleapis.com/auth/cloud-platform;https://www.googleapis.com/auth/userinfo.email;https://www.googleapis.com/auth/compute;https://www.googleapis.com/auth/sqlservice.admin
λ kubectl describe serviceaccount --namespace k8s-namespace ksa-name
Name: ksa-name
Namespace: k8s-namespace
Labels: <none>
Annotations: iam.gke.io/gcp-service-account: db-proxy@project-id.iam.gserviceaccount.com
Image pull secrets: <none>
Mountable secrets: ksa-name-token-87n4t
Tokens: ksa-name-token-87n4t
Events: <none>
λ gcloud iam service-accounts get-iam-policy db-proxy@project-id.iam.gserviceaccount.com
bindings:
- members:
- serviceAccount:project-id.svc.id.goog[k8s-namespace/ksa-name]
role: roles/iam.workloadIdentityUser
etag: BwW02zludbY=
version: 1
λ kubectl get networkpolicy --namespace k8s-namespace
No resources found in k8s-namespace namespace.
λ gcloud projects get-iam-policy project-id
bindings:
- members:
- serviceAccount:db-proxy@project-id.iam.gserviceaccount.com
role: roles/cloudsql.editor
预期结果(我在另一个群集上运行此程序,后来更改了配置,找不到我的错误所在):
root@workload-identity-test:~# ./cloud_sql_proxy -instances=project-id:europe-west4:db-instance-2=tcp:5432
2020/11/24 18:09:54 current FDs rlimit set to 1048576, wanted limit is 8500. Nothing to do here.
2020/11/24 18:09:56 Listening on 127.0.0.1:5432 for project-id:europe-west4:db-instance-2
2020/11/24 18:09:56 Ready for new connections
我做错了什么?如何进一步进行故障排除或调试?
推荐答案
我能够通过使用不同的名称创建服务帐户来解决该问题。只是名字变了,其他什么都没有。如果我删除db-proxy@project-id.iam.gserviceaccount.com,然后再次使用该名称,问题仍然存在。我找不到任何有关该帐户的其他参考资料。在我于11月30‘20日发表评论后,没有再次遇到该问题。
这篇关于无法从Google Compute Engine元数据服务检索令牌。状态:404的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
