我正在使用data中的以下步骤,使用Cloud Build将DAG上传到Composer环境的存储分区中的cloudbuild.yaml文件夹中:
steps:
- name: gcr.io/cloud-builders/gcloud
args: ["composer", "environments", "storage", "data", "import", "--environment", "test-environment", "--location", "europe-west1",
"--source", "test_dag.py", "--destination", "test"]
但是,在运行gcloud builds submit .时,Cloud Build在此步骤失败并出现以下权限错误:
Step #0: ERROR: (gcloud.composer.environments.storage.data.import)
PERMISSION_DENIED: The caller does not have permission
Finished Step #0
ERROR
ERROR: build step 0 "gcr.io/cloud-builders/gcloud" failed:
exit status 1
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
ERROR: (gcloud.builds.submit) build f9732670-8e98-475a-96f9eb7d509cf6ac
completed with status "FAILURE"
我假设“调用方”是项目的默认Cloud Build服务帐户,因此我尝试为该服务帐户赋予相关存储分区的“ Cloud Composer环境和存储对象管理员”角色,但这并不能解决问题。在本地版本(cloud-build-local --dryrun=false .)中运行import命令可以正常工作。
如何摆脱这个错误?我是否将错误的权限授予了错误的服务帐户?
答案 0 :(得分:0)
基于Cloud Composer access control doc,您需要将roles/
composer.environmentAndStorageObjectViewer授予与预期Composer环境相同的项目中的Cloud Build服务帐户(例如{project-number}@cloudbuild.gserviceaccount.com)。