我正在尝试通过Terraform制作GCP VM。我在Google上创建了一个具有项目所有者角色的服务帐户。我试图通过Terraform创建一个存储Terraform状态的存储桶。凭据的.json位于Gitlab变量中。
问题是,尽管该服务帐户具有所有者角色,但我仍然收到403错误消息,表明我的服务帐户没有访问权限并且被禁止。
我尝试过的事情:
我已经赋予服务帐户不同的角色,包括项目编辑器,存储管理员和存储对象管理员。
我已经删除并重新制作了它(并更新了Gitlab变量)。
我已经通过UI而不是Terraform在Google上创建了存储桶,以防出现问题,但没有进行任何更改。
Gitlab的yml:
image:
name: hashicorp/terraform:light
entrypoint:
- '/usr/bin/env'
- 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
before_script:
- rm -rf .terraform
- terraform --version
- mkdir -p ./creds
- echo $SERVICEACCOUNT | base64 -d > ./creds/serviceaccount.json
- terraform init
stages:
- validate
- plan
- apply
validate:
stage: validate
script:
- terraform validate
plan:
stage: plan
script:
- terraform plan -out "planfile"
dependencies:
- validate
artifacts:
paths:
- planfile
apply:
stage: apply
script:
- terraform apply -input=false "planfile"
dependencies:
- plan
when: manual
我的main.tf:
provider "google" {
project = "project-id-name"
credentials = "./creds/serviceaccount.json"
region = "europe-west1"
}
# make bucket to store terraform state into
resource "google_storage_bucket" "terraform_state" {
name = "terraform-up-and-running-state"
region = "europe-west1"
}
# config terraform to store onto cloud in bucket above
terraform {
backend "gcs" {
bucket = "terraform-up-and-running-state"
credentials = "./creds/serviceaccount.json"
}
}
# rest
resource "google_compute_instance" "vm_instance" {
name = "my-test-vm"
machine_type = "f1-micro"
boot_disk {
initialize_params {
image = "debian-cloud/debian-9"
}
}
network_interface {
# A default network is created for all GCP projects
network = "${google_compute_network.vpc_network.self_link}"
access_config {
}
}
}
resource "google_compute_network" "vpc_network" {
name = "my-test-network"
auto_create_subnetworks = "true"
}
目标是仅通过Terraform初始化Google VM及其所需的一切。
这是Gitlab的验证阶段显示的内容:
Running with gitlab-runner 12.3.0 (a8a019e0)
on docker-auto-scale 72989761
Using Docker executor with image hashicorp/terraform:light ...
Pulling docker image hashicorp/terraform:light ...
Using docker image sha256:e42a20110eb49783e5f0e1594c67c8d45663fbf84303c395540b8dc94558d448 for hashicorp/terraform:light ...
Running on runner-72989761-project-14591382-concurrent-0 via runner-72989761-srm-1570020185-504ac9cf...
Fetching changes with git depth set to 50...
Initialized empty Git repository in /builds/my-project/playground-webscraper/.git/
Created fresh repository.
From https://gitlab.com/my-project/playground-webscraper
* [new branch] master -> origin/master
Checking out c183697f as master...
Skipping Git submodules setup
$ rm -rf .terraform
$ terraform --version
Terraform v0.12.9
$ mkdir -p ./creds
$ echo $SERVICEACCOUNT | base64 -d > ./creds/serviceaccount.json
$ terraform init
Initializing the backend...
Successfully configured the backend "gcs"! Terraform will automatically
use this backend unless the backend configuration changes.
Error: Failed to get existing workspaces: querying Cloud Storage failed: googleapi: Error 403: terraform@kims-playground-webscraper.iam.gserviceaccount.com does not have storage.objects.list access to terraform-up-and-running-state., forbidden
ERROR: Job failed: exit code 1
答案 0 :(得分:2)
Google Cloud Storage Bucket命名空间是全局的,terraform-up-and-running-state已被世界上其他某个存储桶使用,并且您正试图访问其存储桶并遭到拒绝。网络上似乎有一个number of tutorials引用了此存储桶名称。确保您的存储桶名称是唯一的。
我猜这不是您的水桶:http://terraform-up-and-running-state.storage.googleapis.com/
请参阅: