运行部署管理器以创建部署时,我从GCP收到403 PERMISSION_DENIED响应,该部署创建服务帐户并使用云资源管理器API为其设置IAM策略。这是为此的setIamPolicy模板:
{
'resources': [
{
'name': context.env['name'],
'action': 'gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy',
'properties': {
'resource': context.properties['resource'],
'policy': {
'bindings': context.properties['bindings']
}
}
}
]
}
来自GCP的回复:
'{“ ResourceType”:“ gcp-types / cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy”,“ ResourceErrorCode”:“ 403”,“ ResourceErrorMessage”:{“ code”:403,“ message”:“ The 呼叫者没有权限“,” status“:” PERMISSION_DENIED“,” statusMessage“:”禁止“,” requestPath“:” https://cloudresourcemanager.googleapis.com/v1/projects/project-name@project-name.iam.gserviceaccount.com:setIamPolicy“,” httpMethod“:” POST“}}'
仅供参考:机器人帐户(12345@cloudservices.gserviceaccount.com)在IAM中具有项目所有者权限。
答案 0 :(得分:2)
正确的方法是:
{
# Set the IAM policy by patching the existing policy with the
# config contents.
'name': policy_add_name,
'action': 'gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy',
'properties':
{
'resource': project_id,
'policy': '$(ref.' + policy_get_name + ')',
'gcpIamPolicyPatch': {
'add': policies_to_add,
}
}
}