resources:
- name: practice-service-account
type: iam.v1.serviceAccount
properties:
displayName: practice-service-account
projectId: {{ project }}
accountId: practice-service-account
- name: get-iam-policy
action: 'gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.getIamPolicy'
properties:
resource: resources-practice {# make this environment variable #}
- name: set-iam-policy
action: 'gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy'
properties:
resource: {{ project }}
policy: $(ref.get-iam-policy)
gcpIamPolicyPatch:
add:
- role: roles/viewer
members:
- user:email1@example.com
- user:email2@example.com
- user:email3@example.com
为什么在尝试创建这些IAM资源时总是遇到以下错误?
ERROR: (gcloud.deployment-manager.deployments.update) Error in Operation [operation-1544014242908-57c45d47a0760-6a2ec217-9ee53506]: errors:
- code: RESOURCE_ERROR
location: /deployments/infrastructure/resources/set-iam-policy
message: '{"ResourceType":"gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"The
caller does not have permission","status":"PERMISSION_DENIED","statusMessage":"Forbidden","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/resources-practice:setIamPolicy","httpMethod":"POST"}}'
答案 0 :(得分:1)
部署管理器acts using the [PROJECT_NUMBER]@cloudservices.gserviceaccount.com
service account。此错误表明该服务帐户无权更改该项目上的IAM策略。尝试granting服务帐户在项目上扮演iam.roleAdmin
角色(或在组织中扮演iam.organizationRoleAdmin
角色)。