我正在尝试通过云部署管理器将cloudsq.client角色添加到服务帐户。我该怎么办?
我发现我可以使用pubsub.v1.topic resourceType添加基本角色,例如角色/所有者。请参阅Google官方示例:
resources:
- name: {{ env['name'] }}
type: pubsub.v1.topic
properties:
topic: {{ env['name'] }}
accessControl:
gcpIamPolicy:
bindings:
- role: roles/pubsub.subscriber
members:
- "serviceAccount:$(ref.{{ properties['serviceAccountId'] }}.email)"
但是看来这不适用于role/cloudsql.client:
它说:
"message":"Role roles/cloudsql.client is not supported for this resource."
我通过Can't create cloudsql role for Service Account via api发现,我最有可能必须使用cloudresourcemanager.v1.project资源。但是,仅替换资源也不起作用:
resources:
- name: {{ env['name'] }}
type: cloudresourcemanager.v1.project
properties:
projectId: {{ env['project'] }}
accessControl:
gcpIamPolicy:
bindings:
- role: roles/cloudsql.client
members:
- "serviceAccount:$(ref.{{ properties['serviceAccountId'] }}.email)"
错误:
- code: RESOURCE_ERROR
location: /deployments/test-cluster/resources/cloudsql-client-role
message: '{"ResourceType":"cloudresourcemanager.v1.project","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"Service
accounts cannot create projects without a parent.","status":"PERMISSION_DENIED","statusMessage":"Forbidden","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects","httpMethod":"POST"}}'
我有点卡住了,所以我很感激我能得到的一切!
答案 0 :(得分:0)
要解决此问题,您需要在“资源”中使用以下类型:https://github.com/GoogleCloudPlatform/deploymentmanager-samples/blob/ae293a455f90746fb2e25142dbc11250cc51aad3/community/cloud-foundation/templates/iam_member/iam_member.py#L30
向服务帐户添加角色的正确方法是:getIamPolicy> setIamPolicy
首先,您需要获取策略,然后才能设置策略,此过程称为“绑定”。
请使用以下模板向服务帐户添加角色:
如果您还有其他问题,我很乐意为您提供帮助。