我不知道在这里设置什么。恕我直言,整个政策、绑定和成员内容非常令人困惑。有这些角色吗?总之...
尝试从云功能访问机密管理器。云功能是使用 Terraform 设置的:
module "mds_reporting_cloud_function" {
source = "terraform-google-modules/scheduled-function/google"
version = "2.0.0"
project_id = var.function_gcp_project
job_name = var.function_name
job_description = var.function_description
job_schedule = var.function_cron_schedule
function_entry_point = "main"
function_source_directory = "${path.module}/../../../../src"
function_name = var.function_name
region = var.function_gcp_region
bucket_name = var.function_name
function_description = var.function_description
function_environment_variables = var.function_environment_variables
function_runtime = "python38"
topic_name = var.function_name
}
resource "google_cloudfunctions_function_iam_binding" "binding" {
project = var.function_gcp_project
region = var.function_gcp_region
cloud_function = var.function_name
role = "roles/secretmanager.secretAccessor"
members = [
"serviceAccount:${var.function_gcp_project}@appspot.gserviceaccount.com"
]
}
我的理解是,如果没有为云功能指定服务帐户,它将使用默认的 App Engine 服务帐户。
绑定应将角色“绑定”到 App Engine 服务帐户的现有 IAM 政策。
然而,它抛出这个错误:
Error:
Error applying IAM policy for cloudfunctions cloudfunction "projects/alpine-proton-280612/locations/europe-west3/functions/mds-reporting-cloud-function":
Error setting IAM policy for cloudfunctions cloudfunction "projects/alpine-proton-280612/locations/europe-west3/functions/mds-reporting-cloud-function":
googleapi: Error 400: Role roles/secretmanager.secretAccessor is not supported for this resource.
不确定该怎么做。
答案 0 :(得分:3)
最好的解决方案是仅在密钥上授予 Cloud Functions 服务帐户访问密钥的权限。为此,请使用 Secret Manager IAM terraform 资源
resource "google_secret_manager_secret_iam_binding" "binding" {
project = var.function_gcp_project
secret_id = google_secret_manager_secret.your-secret.secret_id
# If your secret is not created by terraform, use this format for the id projects/{{project}}/secrets/{{secret_id}}
role = "roles/secretmanager.secretAccessor"
members = [
"serviceAccount:${var.function_gcp_project}@appspot.gserviceaccount.com"
]
}
重要提示: