为什么我会在部署容器时看到此错误:“错误:(gcloud.run.deploy) PERMISSION_DENIED:调用方没有权限”?
der*_*783 5 google-cloud-platform google-cloud-build google-cloud-run
假设我有一个cloudbuild.yaml像下面这样的文件。还假设我可以在gcloud用于单独的功能(构建和运行)时手动运行和部署有问题的容器。
部署的时候,第三步导致报错 ERROR: (gcloud.run.deploy) PERMISSION_DENIED: The caller does not have permission
steps:
# Build the container image
- name: 'gcr.io/cloud-builders/docker'
args: ['build', '-t', 'gcr.io/[PROJECT_ID]/[IMAGE]:$COMMIT_SHA', '.']
# Push the image to Container Registry
- name: 'gcr.io/cloud-builders/docker'
args: ['push', 'gcr.io/[PROJECT_ID]/[IMAGE]:$COMMIT_SHA']
# Deploy image to Cloud Run
- name: 'gcr.io/cloud-builders/gcloud'
args:
- 'run'
- 'deploy'
- '[SERVICE_NAME]'
- '--image'
- 'gcr.io/[PROJECT_ID]/[IMAGE]:$COMMIT_SHA'
- '--region'
- '[REGION]'
- '--platform'
- 'managed'
images:
- gcr.io/[PROJECT_ID]/[IMAGE]
der*_*783 15
请参阅以下文档:
https://cloud.google.com/cloud-build/docs/deploying-builds/deploy-cloud-run#before_you_begin
您需要按照那里提供的步骤操作:
向 Cloud Build 服务帐号授予 Cloud Run Admin 角色:
在 Cloud Console 中,转到 Cloud Build 设置页面:
打开设置页面
找到具有 Cloud Run Admin 角色的行并将其状态设置为 ENABLED。
在可能需要附加步骤弹出窗口中,单击跳过。
将 IAM 服务账户用户角色授予 Cloud Run 运行时服务账户上的 Cloud Build 服务账户:
在 Cloud Console 中,转到服务帐号页面:
打开服务帐户页面
在成员列表中,找到并选择 [PROJECT_NUMBER]-compute@developer.gserviceaccount.com。这是 Cloud Run 运行时服务帐号。
单击右上角的显示信息面板。
在权限面板中,单击添加成员按钮。
In the New member field, enter the email address of the Cloud Build service account. This is of the form [PROJECT_NUMBER]@cloudbuild.gserviceaccount.com. Note: The email address of Cloud Build service account is different from that of Cloud Run runtime service account.
In the Role dropdown, select Service Accounts, and then Service Account User.
Click Save.
In my case, the @cloudbuild account wasn't showing up in the IAM suggestions in step 2, but if you perform step 1, and run your build, the error message will change to something similar to the redacted message below, which contains the account you need.
ERROR: (gcloud.run.deploy) User [<SOME_NUMBER_HERE>@cloudbuild.gserviceaccount.com] does not have permission to access namespace [<YOUR_PROJECT_ID>] (or it may not exist): Permission 'iam.serviceaccounts.actAs' denied on service account <SOME_OTHER_NUMBER_HERE>-compute@developer.gserviceaccount.com (or it may not exist).
- 这是对的。Tldr:基本上,“部署者”(在本例中为 cloudbuild 服务帐户)必须对正在部署的 Cloud Run 应用程序将使用的服务帐户具有“充当”权限(以防止权限升级)。 (2认同)
- @Trevor我认为这有效: gcloud run services add-iam-policy-binding [CLOUD_RUN_SERVICE_NAME] \ --member=serviceAccount:[CLOUD BUILD SERVICE ACCOUNT EMAIL] \ --role=roles/run.admin \ gcloud iam service-accounts add-iam-policy-binding [CLOUD RUN 运行的服务帐户] \ --member=serviceAccount:[CLOUD BUILD SERVICE ACCOUNT] \ --role Roles/iam.serviceAccountUser --project=$PROJECT \ --region=$地区 (2认同)
我正在使用 Firebase Functions 通过 Cloud Build 部署新的 Cloud Run 实例,因此我还必须向我的函数中使用的服务帐户添加Cloud Build Service Account权限(除了遵循 @derekbaker783 的答案之外)
| 归档时间: |
|
| 查看次数: |
4538 次 |
| 最近记录: |