setIAM 403禁止

时间:2018-12-05 12:58:11

标签: google-cloud-platform google-deployment-manager

resources:
- name: practice-service-account
  type: iam.v1.serviceAccount
  properties:
    displayName: practice-service-account
    projectId: {{ project }}
    accountId: practice-service-account
- name: get-iam-policy
  action: 'gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.getIamPolicy'
  properties:
    resource: resources-practice {# make this environment variable #}
- name: set-iam-policy
  action: 'gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy'
  properties:
    resource: {{ project }}
    policy: $(ref.get-iam-policy)
    gcpIamPolicyPatch:
      add:
      - role: roles/viewer
        members:
        - user:email1@example.com
        - user:email2@example.com
        - user:email3@example.com

为什么在尝试创建这些IAM资源时总是遇到以下错误?

ERROR: (gcloud.deployment-manager.deployments.update) Error in Operation [operation-1544014242908-57c45d47a0760-6a2ec217-9ee53506]: errors:
- code: RESOURCE_ERROR
  location: /deployments/infrastructure/resources/set-iam-policy
  message: '{"ResourceType":"gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"The
    caller does not have permission","status":"PERMISSION_DENIED","statusMessage":"Forbidden","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/resources-practice:setIamPolicy","httpMethod":"POST"}}'

1 个答案:

答案 0 :(得分:1)

部署管理器acts using the [PROJECT_NUMBER]@cloudservices.gserviceaccount.com service account。此错误表明该服务帐户无权更改该项目上的IAM策略。尝试granting服务帐户在项目上扮演iam.roleAdmin角色(或在组织中扮演iam.organizationRoleAdmin角色)。