尽管服务帐户具有所有者角色,但GCP中的存储桶查询权限被拒绝

时间:2019-10-02 13:02:40

标签: google-cloud-platform google-cloud-storage terraform gitlab-ci-runner google-iam

我正在尝试通过Terraform制作GCP VM。我在Google上创建了一个具有项目所有者角色的服务帐户。我试图通过Terraform创建一个存储Terraform状态的存储桶。凭据的.json位于Gitlab变量中。

问题是,尽管该服务帐户具有所有者角色,但我仍然收到403错误消息,表明我的服务帐户没有访问权限并且被禁止。

我尝试过的事情:

  • 我已经赋予服务帐户不同的角色,包括项目编辑器,存储管理员和存储对象管理员。

  • 我已经删除并重新制作了它(并更新了Gitlab变量)。

  • 我已经通过UI而不是Terraform在Google上创建了存储桶,以防出现问题,但没有进行任何更改。

Gitlab的yml:

image:
  name: hashicorp/terraform:light  
  entrypoint:
    - '/usr/bin/env'
    - 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'

before_script:
  - rm -rf .terraform
  - terraform --version
  - mkdir -p ./creds
  - echo $SERVICEACCOUNT | base64 -d > ./creds/serviceaccount.json
  - terraform init

stages:
  - validate
  - plan
  - apply

validate:
  stage: validate
  script:
    - terraform validate

plan:
  stage: plan
  script:
    - terraform plan -out "planfile"
  dependencies:
    - validate
  artifacts:
    paths:
      - planfile

apply:
  stage: apply
  script:
    - terraform apply -input=false "planfile"
  dependencies:
    - plan
  when: manual


我的main.tf:

provider "google" {
    project = "project-id-name" 
    credentials = "./creds/serviceaccount.json"
    region = "europe-west1"
}

# make bucket to store terraform state into
resource "google_storage_bucket" "terraform_state"  {
  name     = "terraform-up-and-running-state"
    region = "europe-west1"
}

# config terraform to store onto cloud in bucket above
terraform {
  backend "gcs" {
    bucket = "terraform-up-and-running-state"
    credentials = "./creds/serviceaccount.json"
  }
}

# rest 
resource "google_compute_instance" "vm_instance" {
  name         = "my-test-vm"
  machine_type = "f1-micro"

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-9"
    }
  }

  network_interface {
    # A default network is created for all GCP projects
    network = "${google_compute_network.vpc_network.self_link}"
    access_config {
    }
  }
}
resource "google_compute_network" "vpc_network" {
  name                    = "my-test-network"
  auto_create_subnetworks = "true"
}

目标是仅通过Terraform初始化Google VM及其所需的一切。

这是Gitlab的验证阶段显示的内容:

Running with gitlab-runner 12.3.0 (a8a019e0)
  on docker-auto-scale 72989761
Using Docker executor with image hashicorp/terraform:light ...
Pulling docker image hashicorp/terraform:light ...
Using docker image sha256:e42a20110eb49783e5f0e1594c67c8d45663fbf84303c395540b8dc94558d448 for hashicorp/terraform:light ...
Running on runner-72989761-project-14591382-concurrent-0 via runner-72989761-srm-1570020185-504ac9cf...
Fetching changes with git depth set to 50...
Initialized empty Git repository in /builds/my-project/playground-webscraper/.git/
Created fresh repository.
From https://gitlab.com/my-project/playground-webscraper
 * [new branch]      master     -> origin/master
Checking out c183697f as master...

Skipping Git submodules setup
$ rm -rf .terraform
$ terraform --version
Terraform v0.12.9
$ mkdir -p ./creds
$ echo $SERVICEACCOUNT | base64 -d > ./creds/serviceaccount.json
$ terraform init

Initializing the backend...

Successfully configured the backend "gcs"! Terraform will automatically
use this backend unless the backend configuration changes.

Error: Failed to get existing workspaces: querying Cloud Storage failed: googleapi: Error 403: terraform@kims-playground-webscraper.iam.gserviceaccount.com does not have storage.objects.list access to terraform-up-and-running-state., forbidden


ERROR: Job failed: exit code 1

1 个答案:

答案 0 :(得分:2)

Google Cloud Storage Bucket命名空间是全局的,terraform-up-and-running-state已被世界上其他某个存储桶使用,并且您正试图访问其存储桶并遭到拒绝。网络上似乎有一个number of tutorials引用了此存储桶名称。确保您的存储桶名称是唯一的。

我猜这不是您的水桶:http://terraform-up-and-running-state.storage.googleapis.com/

请参阅: