没有服务帐户的编辑者角色,创建实例组管理器将失败

时间:2018-08-16 11:16:22

标签: google-cloud-platform google-compute-engine google-iam

我有一个node.js应用程序试图创建一个实例组管理器。它在实例上运行,该实例具有一个范围为compute-rwcloud-platform的服务帐户。该服务帐户具有以下权限的角色:

includedPermissions:
- compute.autoscalers.create
- compute.autoscalers.get
- compute.disks.create
- compute.images.get
- compute.images.useReadOnly
- compute.instanceGroupManagers.create
- compute.instanceGroupManagers.get
- compute.instanceGroupManagers.use
- compute.instanceTemplates.create
- compute.instanceTemplates.get
- compute.instanceTemplates.useReadOnly
- compute.instances.create
- compute.instances.setMetadata
- compute.instances.setTags
- compute.networks.get
- compute.subnetworks.get
- compute.subnetworks.use

我在第一个日志条目中看到了resource.type="gce_instance_group_manager"的审核日志:

ProtoPayload.authorizationInfo:
  - granted: true
    permission: compute.instanceGroupManagers.create
    resourceAttributes:
      name: projects/my-project/zones/us-east1-b/instanceGroupManagers/resource-name
      service: compute
      type: compute.instanceGroupManagers
  - granted: true
    permission: compute.instanceTemplates.useReadOnly
    resourceAttributes:
      name: projects/my-project/global/instanceTemplates/resource-name
      service: compute
      type: compute.instanceTemplates
  - granted: true
    permission: compute.instances.create
    resourceAttributes:
      name: projects/my-project/zones/us-east1-b/instances/resource-name-0000
      service: compute
      type: compute.instances
  - granted: true
    permission: compute.disks.create
    resourceAttributes:
      name: projects/my-project/zones/us-east1-b/disks/resource-name-0000
      service: compute
      type: compute.disks
  - granted: true
    permission: compute.images.useReadOnly
    resourceAttributes:
      name: projects/my-project/global/images/resource-name-image
      service: compute
      type: compute.images
  - granted: true
    permission: compute.subnetworks.use
    resourceAttributes:
      name: projects/my-project/regions/us-east1/subnetworks/resource-name-subnet
      service: compute
      type: compute.subnetworks
  - granted: true
    permission: compute.instances.setMetadata
    resourceAttributes:
      name: projects/my-project/zones/us-east1-b/instances/resource-name-0000
      service: compute
      type: compute.instances
  - granted: true
    permission: compute.instances.setTags
    resourceAttributes:
      name: projects/my-project/zones/us-east1-b/instances/resource-name-0000
      service: compute
      type: compute.instances

我身上得到status: "PENDING",得到200 OK。

仅当查看审核日志时,我会看到带有status.message: INVALID_PARAMETER的日志条目,没有任何说明,然后看到另一个日志条目,具有:

jsonPayload.error:
  - code: SERVICE_ACCOUNT_ACCESS_DENIED
    detail_message: ''
    location: ''

将编辑者角色附加到服务帐户时,我可以创建实例组管理器,因此似乎缺少一些权限。日志中没有显示未授予的权限,所以可能丢失了什么?

Raw logs

1 个答案:

答案 0 :(得分:1)

事实证明,instanceTemplate附加服务将帐户分配给实例。由于创建实例组管理器的实例使用的服务帐户必须具有iam.serviceAccountUser角色。

在我的情况下,不需要服务帐户,因此我将其从实例模板中删除,并且上面的权限起作用。

相关问题
最新问题