通过Deploymentmanager创建GCP项目

时间:2019-03-26 11:17:04

标签: google-cloud-platform google-deployment-manager

因此,我正在尝试使用Google Cloud Deployment Manager创建一个项目, Ive的结构大致如下:

# Structure
Org -> Folder1 -> Seed-Project(Location where I am running deployment manager from)

Organization:
  IAM:
    -> {Seed-Project-Number}@cloudservices.gserviceaccount.com:
        - Compute Network Admin
        - Compute Shared VPC Admin
        - Organisation Viewer
        - Project Creator

# DeploymentManager Resource:
type    cloudresourcemanager.v1.project
name    MyNewProject
parent  
  id: '{folder1-id}'
  type: folder
projectId: MyNewProject

所需结果是应在Folder1下创建MyNewProject。 然而;似乎Deployment Manager服务帐户没有足够的权限:

$ CLOUDSDK_CORE_PROJECT=Seed-Project gcloud deployment-manager deployments \
  create MyNewDeployment \
  --config config.yaml \
  --verbosity=debug

错误信息:

- code: RESOURCE_ERROR
  location: /deployments/MyNewDeployment/resources/MyNewProject
  message: '{"ResourceType":"cloudresourcemanager.v1.project",
             "ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"The
    caller does not have permission","status":"PERMISSION_DENIED","statusMessage":"Forbidden","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/MyNewProject","httpMethod":"GET"}}'

我已经进行了一些挖掘,似乎正在调用 resourcemanager.projects.get 方法; “计算共享的VPC管理员(roles / compute.xpnAdmin)”角色应该提供此权限,如此处记录:https://cloud.google.com/iam/docs/understanding-roles

除了似乎并非如此,这是怎么回事?

编辑

Id喜欢添加从调试工作中收集的一些其他信息: 这些是来自Deployment Manager(来自种子项目)的API请求。

您可以看到呼叫者是一个匿名服务帐户,这不是id希望看到的。 (我希望在此处看到{Seed-Project-Number}@cloudservices.gserviceaccount.com作为主叫帐户)

screenshot

Edit-2

config.yaml 

imports:
  - path: composite_types/project/project.py
    name: project.py

resources:
  - name: MyNewProject
    type: project.py
    properties:
      parent:
        type: folder
        id: "{folder1-id}"
      billingAccountId: billingAccounts/REDACTED
      activateApis:
        - compute.googleapis.com
        - deploymentmanager.googleapis.com
        - pubsub.googleapis.com
      serviceAccounts: []

composite_types / project / *是此处找到的模板的精确副本:

https://github.com/GoogleCloudPlatform/deploymentmanager-samples/tree/master/community/cloud-foundation/templates/project

1 个答案:

答案 0 :(得分:1)

关键是这是GET操作,而不是尝试创建项目。这是为了验证请求的项目ID的全局唯一性,如果不是唯一的,则抛出PERMISSION_DENIED。

大量错误消息,浪费大量的开发人员时间!

相关问题
最新问题