我正在尝试使用Google云端部署管理器创建一个项目,我将设置大致如下:
# Structure
Org -> Folder1 -> Seed-Project(Location where I am running deployment manager from)
Organization:
IAM:
-> {Seed-Project-Number}@cloudservices.gserviceaccount.com:
- Compute Network Admin
- Compute Shared VPC Admin
- Organisation Viewer
- Project Creator
# DeploymentManager Resource:
type cloudresourcemanager.v1.project
name MyNewProject
parent
id: '{folder1-id}'
type: folder
projectId: MyNewProject
期望结果是MyNewProject应该在Folder1下创建。 然而,似乎部署管理器服务账户没有足够的权限:
$ CLOUDSDK_CORE_PROJECT=Seed-Project gcloud deployment-manager deployments \
create MyNewDeployment \
--config config.yaml \
--verbosity=debug
错误消息:
- code: RESOURCE_ERROR
location: /deployments/MyNewDeployment/resources/MyNewProject
message: '{"ResourceType":"cloudresourcemanager.v1.project",
"ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"The
caller does not have permission","status":"PERMISSION_DENIED","statusMessage":"Forbidden","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/MyNewProject","httpMethod":"GET"}}'
我进行了一些调查,似乎是在调用 resourcemanager.projects.get 方法;根据这里的文档,'Compute Shared VPC Admin (roles/compute.xpnAdmin)' 角色 应该 提供此权限: https://cloud.google.com/iam/docs/understanding-roles 但实际情况并非如此,发生了什么?
编辑
我想添加一些从调试努力中收集到的附加信息:
这些是来自部署经理的API请求(来自种子项目)。
您可以看到调用者是匿名服务帐户,这不是我期望看到的。(我希望在这里看到 {Seed-Project-Number}@cloudservices.gserviceaccount.com 作为调用帐户)
编辑-2
config.yaml
imports:
- path: composite_types/project/project.py
name: project.py
resources:
- name: MyNewProject
type: project.py
properties:
parent:
type: folder
id: "{folder1-id}"
billingAccountId: billingAccounts/REDACTED
activateApis:
- compute.googleapis.com
- deploymentmanager.googleapis.com
- pubsub.googleapis.com
serviceAccounts: []
composite_types/project/* 是这里找到的模板的精确副本:
resourcemanager.projects.create权限,或者拥有预定义角色roles/owner或roles/editor中的一个。这些权限需要在组织或文件夹级别上授予。 - John Hanleyconfig.yaml文件的情况下确定。作为参考,这里详细解释了它。 - Martin Zeitler