ERROR: (gcloud.beta.functions.deploy) ... message=[The caller does not have permission]
ERROR: (gcloud.beta.functions.deploy) ... message=[The caller does not have permission]
我正在尝试从该存储库部署代码:
https://github.com/anishkny/puppeteer-on-cloud-functions
在 Google 云构建中。我的 cloudbuild.yaml 文件内容是:
steps:
- name: 'gcr.io/cloud-builders/gcloud'
args: ['beta', 'functions', 'deploy', 'screenshot', '--trigger-http', '--runtime', 'nodejs8', '--memory', '1024MB']
我已将以下角色授予我的云构建服务帐户 (****@cloudbuild.gserviceaccount.com):
- 云构建服务帐户
- 云函数开发人员
然而,在我的 Cloud Build 日志中,我看到以下错误:
starting build "1f04522c-fe60-4a25-a4a8-d70e496e2821"
FETCHSOURCE
Fetching storage object: gs://628906418368.cloudbuild-source.googleusercontent.com/94762cc396ed1bb46e8c5dbfa3fa42550140c2eb-b3cfa476-cb21-45ba-849c-c28423982a0f.tar.gz#1534532794239047
Copying gs://628906418368.cloudbuild-source.googleusercontent.com/94762cc396ed1bb46e8c5dbfa3fa42550140c2eb-b3cfa476-cb21-45ba-849c-c28423982a0f.tar.gz#1534532794239047...
/ [0 files][ 0.0 B/ 835.0 B]
/ [1 files][ 835.0 B/ 835.0 B]
Operation completed over 1 objects/835.0 B.
tar: Substituting `.' for empty member name
BUILD
Already have image (with digest): gcr.io/cloud-builders/gcloud
ERROR: (gcloud.beta.functions.deploy) ResponseError: status=[403], code=[Forbidden], message=[The caller does not have permission]
ERROR
ERROR: build step 0 "gcr.io/cloud-builders/gcloud" failed: exit status 1
我错过了什么?
根据 Cloud Build documentation,对于 Cloud Functions,您必须将 "Project Editor" 角色授予您的服务帐户。
但是,Cloud Functions documentation 指出,除了使用项目编辑器角色,您还可以使用 "the Cloud Functions Developer role [but you have to] ensure that you have granted the Service Account User role"。关于服务帐户,它表示有 "the CloudFunctions.ServiceAgent role on your project" 和 "have permissions for trigger sources, such as Pub/Sub or the Cloud Storage bucket triggering your function"。
出于这些考虑,我的理解是文档省略了指定您的服务帐户需要的所有角色,并直接指示授予项目编辑器角色。
当(可能)Cloud Functions 正式发布时,权限似乎发生了变化。今天另一个客户提出了这个问题,我想起了你的问题。
Cloud Build 机器人 (${NUM}@cloudbuild.gserviceaccount.com) 还需要成为 ${PROJECT-ID}@appspot.gserviceaccount.com 帐户的 serviceAccountUser:
NB 虽然 Cloud Build 机器人本地部分是项目编号 (${NUM}),appspot 机器人本地部分是项目 ID (${PROJECT} )
请尝试:
PROJECT=[[YOUR-PROJECT-ID]]
NUM=$(gcloud projects describe $PROJECT --format='value(projectNumber)')
gcloud iam service-accounts add-iam-policy-binding \
${PROJECT}@appspot.gserviceaccount.com \
--member=serviceAccount:${NUM}@cloudbuild.gserviceaccount.com \
--role=roles/iam.serviceAccountUser \
--project=${PROJECT}
告诉我!
在阅读了大量文档后,我也为此苦苦挣扎。以上答案的组合让我走上了正确的轨道。基本上,需要如下内容:
PROJECT=[PROJECT-NAME]
NUM=$(gcloud projects describe $PROJECT --format='value(projectNumber)')
gcloud iam service-accounts add-iam-policy-binding \
${PROJECT}@appspot.gserviceaccount.com \
--member=serviceAccount:${NUM}@cloudbuild.gserviceaccount.com \
--role=roles/iam.serviceAccountUser \
--project=${PROJECT}
gcloud iam service-accounts add-iam-policy-binding \
${PROJECT}@[INSERT_YOUR_IAM_OWNER_SERVICE_ACCOUNT_NAME].iam.gserviceaccount.com \
--member='serviceAccount:service-${NUM}@gcf-admin-robot.iam.gserviceaccount.com' \
--role='roles/iam.serviceAccountUser'
此外,我通过 IAM 控制台将 "Cloud Functions Developer" 角色添加到我的@cloudbuild.gserviceaccount.com 帐户。
使用 auth 开始您的云构建
steps:
- name: 'gcr.io/cloud-builders/gcloud'
args: ['auth', 'activate-service-account', 'xoxox@xoxo-dev.iam.gserviceaccount.com', '--key-file=account.json', '--project=rabbito-dev']
然后简单地在云函数上部署代码
- name: 'gcr.io/cloud-builders/gcloud'
args: ['beta', 'functions', 'deploy', 'screenshot', '--trigger-http', '--runtime', 'nodejs8', '--memory', '1024MB']
您必须在 Cloud Build 设置页面上更新服务帐户权限。
这是说明https://cloud.google.com/cloud-build/docs/deploying-builds/deploy-cloud-run#fully-managed
您只需在该页面上将 Cloud 运行 管理员角色的状态设置为已启用:
我正在尝试从该存储库部署代码:
https://github.com/anishkny/puppeteer-on-cloud-functions
在 Google 云构建中。我的 cloudbuild.yaml 文件内容是:
steps:
- name: 'gcr.io/cloud-builders/gcloud'
args: ['beta', 'functions', 'deploy', 'screenshot', '--trigger-http', '--runtime', 'nodejs8', '--memory', '1024MB']
我已将以下角色授予我的云构建服务帐户 (****@cloudbuild.gserviceaccount.com):
- 云构建服务帐户
- 云函数开发人员
然而,在我的 Cloud Build 日志中,我看到以下错误:
starting build "1f04522c-fe60-4a25-a4a8-d70e496e2821"
FETCHSOURCE
Fetching storage object: gs://628906418368.cloudbuild-source.googleusercontent.com/94762cc396ed1bb46e8c5dbfa3fa42550140c2eb-b3cfa476-cb21-45ba-849c-c28423982a0f.tar.gz#1534532794239047
Copying gs://628906418368.cloudbuild-source.googleusercontent.com/94762cc396ed1bb46e8c5dbfa3fa42550140c2eb-b3cfa476-cb21-45ba-849c-c28423982a0f.tar.gz#1534532794239047...
/ [0 files][ 0.0 B/ 835.0 B]
/ [1 files][ 835.0 B/ 835.0 B]
Operation completed over 1 objects/835.0 B.
tar: Substituting `.' for empty member name
BUILD
Already have image (with digest): gcr.io/cloud-builders/gcloud
ERROR: (gcloud.beta.functions.deploy) ResponseError: status=[403], code=[Forbidden], message=[The caller does not have permission]
ERROR
ERROR: build step 0 "gcr.io/cloud-builders/gcloud" failed: exit status 1
我错过了什么?
根据 Cloud Build documentation,对于 Cloud Functions,您必须将 "Project Editor" 角色授予您的服务帐户。
但是,Cloud Functions documentation 指出,除了使用项目编辑器角色,您还可以使用 "the Cloud Functions Developer role [but you have to] ensure that you have granted the Service Account User role"。关于服务帐户,它表示有 "the CloudFunctions.ServiceAgent role on your project" 和 "have permissions for trigger sources, such as Pub/Sub or the Cloud Storage bucket triggering your function"。
出于这些考虑,我的理解是文档省略了指定您的服务帐户需要的所有角色,并直接指示授予项目编辑器角色。
当(可能)Cloud Functions 正式发布时,权限似乎发生了变化。今天另一个客户提出了这个问题,我想起了你的问题。
Cloud Build 机器人 (${NUM}@cloudbuild.gserviceaccount.com) 还需要成为 ${PROJECT-ID}@appspot.gserviceaccount.com 帐户的 serviceAccountUser:
NB 虽然 Cloud Build 机器人本地部分是项目编号 (${NUM}),appspot 机器人本地部分是项目 ID (${PROJECT} )
请尝试:
PROJECT=[[YOUR-PROJECT-ID]]
NUM=$(gcloud projects describe $PROJECT --format='value(projectNumber)')
gcloud iam service-accounts add-iam-policy-binding \
${PROJECT}@appspot.gserviceaccount.com \
--member=serviceAccount:${NUM}@cloudbuild.gserviceaccount.com \
--role=roles/iam.serviceAccountUser \
--project=${PROJECT}
告诉我!
在阅读了大量文档后,我也为此苦苦挣扎。以上答案的组合让我走上了正确的轨道。基本上,需要如下内容:
PROJECT=[PROJECT-NAME]
NUM=$(gcloud projects describe $PROJECT --format='value(projectNumber)')
gcloud iam service-accounts add-iam-policy-binding \
${PROJECT}@appspot.gserviceaccount.com \
--member=serviceAccount:${NUM}@cloudbuild.gserviceaccount.com \
--role=roles/iam.serviceAccountUser \
--project=${PROJECT}
gcloud iam service-accounts add-iam-policy-binding \
${PROJECT}@[INSERT_YOUR_IAM_OWNER_SERVICE_ACCOUNT_NAME].iam.gserviceaccount.com \
--member='serviceAccount:service-${NUM}@gcf-admin-robot.iam.gserviceaccount.com' \
--role='roles/iam.serviceAccountUser'
此外,我通过 IAM 控制台将 "Cloud Functions Developer" 角色添加到我的@cloudbuild.gserviceaccount.com 帐户。
使用 auth 开始您的云构建
steps:
- name: 'gcr.io/cloud-builders/gcloud'
args: ['auth', 'activate-service-account', 'xoxox@xoxo-dev.iam.gserviceaccount.com', '--key-file=account.json', '--project=rabbito-dev']
然后简单地在云函数上部署代码
- name: 'gcr.io/cloud-builders/gcloud'
args: ['beta', 'functions', 'deploy', 'screenshot', '--trigger-http', '--runtime', 'nodejs8', '--memory', '1024MB']
您必须在 Cloud Build 设置页面上更新服务帐户权限。 这是说明https://cloud.google.com/cloud-build/docs/deploying-builds/deploy-cloud-run#fully-managed
您只需在该页面上将 Cloud 运行 管理员角色的状态设置为已启用: