无法为我的 Postgres Cloud SQL 实例启用私有 IP
Unable to enable a private IP for my Postgres Cloud SQL instance
当我尝试在我的云 SQL 实例 (Postgresql 9.6) 上启用私有 IP 时,我收到以下错误消息:
Network association failed due to the following error: set Service Networking service account as servicenetworking.serviceAgent role on consumer project
我有一个 VPC,我在 "Associated Network" 下拉列表中 select,我也选择了一个托管服务网络,我已经设置好了,所以理论上它应该都能正常工作。
我在 IAM 下找不到与错误消息相关的任何内容,无论是服务帐户还是 servicenetworking.serviceAgent 权限。
更新
包括相关的地形片段
## VPC Setup
resource "google_compute_network" "my_network" {
project = "${var.project_id}"
name = "vpc-play"
auto_create_subnetworks = "false"
routing_mode = "REGIONAL"
}
# There is a bunch of subnets linked to this network which are not included here
## Managed services network
resource "google_compute_global_address" "default" {
name = "google-managed-services-vpc-${var.project_id}"
project = "${var.project_id}"
provider = "google-beta"
ip_version = "IPV4"
prefix_length = 16
address_type = "INTERNAL"
purpose = "VPC_PEERING"
network = "${google_compute_network.my_network.self_link}"
}
## Error occurs on this step
## Error is : google_service_networking_connection.private_vpc_connection: set Service Networking service account as servicenetworking.serviceAgent role on consumer project
resource "google_service_networking_connection" "private_vpc_connection" {
provider = "google-beta"
network = "${google_compute_network.my_network.self_link}"
service = "servicenetworking.googleapis.com"
reserved_peering_ranges = ["${google_compute_global_address.default.name}"]
}
## Database configuration <-- omitted private ip stuff for now as doesn't even get to creation of this, error in previous step
resource "google_sql_database_instance" "my_db" {
depends_on = ["google_service_networking_connection.private_vpc_connection"]
name = "my_db"
project = "${var.project_id}"
database_version = "POSTGRES_9_6"
region = "${var.region}"
lifecycle {
prevent_destroy = true
}
settings {
tier = "db-f1-micro"
backup_configuration {
enabled = true
start_time = "02:00"
}
maintenance_window {
day = 1
hour = 3
update_track = "stable"
}
ip_configuration {
authorized_networks = [
{
name = "office"
value = "${var.my_ip}"
},
]
}
disk_size = 10
availability_type = "ZONAL"
location_preference {
zone = "${var.zone}"
}
}
}
Terraform code to create a Cloud SQL instance with Private IP 有一些错误。第一个是 ${google_compute_network.private_network.self_link} 变量获取网络的完整名称,这意味着类似于 www.googleapis.com/compute/v1/projects/PROJECT-ID/global/networks/testnw2。 google_compute_global_address.private_ip_address.network 字段中不允许使用此值,因此,您需要将 ${google_compute_network.private_network.self_link} 更改为 ${google_compute_network.private_network.name}.
另一个错误是google_sql_database_instance.instance.settings.ip_configuration.private_network中的格式应该是projects/PROJECT_ID/global/networks/NW_ID。所以您需要将字段更改为 projects/[PROJECT_ID]/global/networks/${google_compute_network.private_network.name} 才能工作。
第三个错误,也是您在初始消息中分享的错误,您需要在 Terraform 代码中设置 service account 以获得适当的权限来避免此错误。请检查共享代码的第一行。
第四个错误是您需要使用 google-beta 提供程序而不是 google 默认提供程序来执行此操作
正如我发表的评论中所讨论的那样,我在使用该 Terraform 代码之前看到了 "An Unknown Error occurred" 错误,此错误是指在进行 VPC 对等时出现的错误。我知道解决这个问题很令人沮丧,因为它没有显示任何有用的信息,但如果您在 Google Cloud Platform Support 中打开一个票证,我们将能够使用我们的内部工具检查真正的错误。
正如所承诺的,这是我用来创建专用网络并将其附加到创建时的 Google 云 SQL 实例的代码。
provider "google-beta" {
credentials = "${file("CREDENTIALS.json")}"
project = "PROJECT-ID"
region = "us-central1"
}
resource "google_compute_network" "private_network" {
name = "testnw"
}
resource "google_compute_global_address" "private_ip_address" {
provider="google-beta"
name = "${google_compute_network.private_network.name}"
purpose = "VPC_PEERING"
address_type = "INTERNAL"
prefix_length = 16
network = "${google_compute_network.private_network.name}"
}
resource "google_service_networking_connection" "private_vpc_connection" {
provider="google-beta"
network = "${google_compute_network.private_network.self_link}"
service = "servicenetworking.googleapis.com"
reserved_peering_ranges = ["${google_compute_global_address.private_ip_address.name}"]
}
resource "google_sql_database_instance" "instance" {
provider="google-beta"
depends_on = ["google_service_networking_connection.private_vpc_connection"]
name = "privateinstance"
region = "us-central1"
settings {
tier = "db-f1-micro"
ip_configuration {
ipv4_enabled = "false"
private_network = "projects/PROJECT-ID/global/networks/${google_compute_network.private_network.name}"
}
}
}
似乎 terraform 在某些时候弄乱了帐户的权限,并从所有用户中删除了 servicenetworking.serviceAgent 角色。
禁用然后重新启用服务网络 API 通过重置系统所有用户的权限解决了问题。
好像也和错误有关
Error: googleapi: Error 400: Precondition check failed.,
failedPrecondition
至于这两个错误,我禁用并启用了网络 API,它又开始工作了...
这救了我:
gcloud projects add-iam-policy-binding YOUR_HOST_PROJECT_NAME \
--member=serviceAccount:service-HOST_PROJECT_ACCOUNT_NUMBER@service-networking.iam.gserviceaccount.com \
--role=roles/servicenetworking.serviceAgent
https://thedataguy.in/cloudsql-shared-vpc-private-ip-and-servicenetworking.serviceagent-role/
当我尝试在我的云 SQL 实例 (Postgresql 9.6) 上启用私有 IP 时,我收到以下错误消息:
Network association failed due to the following error: set Service Networking service account as servicenetworking.serviceAgent role on consumer project
我有一个 VPC,我在 "Associated Network" 下拉列表中 select,我也选择了一个托管服务网络,我已经设置好了,所以理论上它应该都能正常工作。
我在 IAM 下找不到与错误消息相关的任何内容,无论是服务帐户还是 servicenetworking.serviceAgent 权限。
更新 包括相关的地形片段
## VPC Setup
resource "google_compute_network" "my_network" {
project = "${var.project_id}"
name = "vpc-play"
auto_create_subnetworks = "false"
routing_mode = "REGIONAL"
}
# There is a bunch of subnets linked to this network which are not included here
## Managed services network
resource "google_compute_global_address" "default" {
name = "google-managed-services-vpc-${var.project_id}"
project = "${var.project_id}"
provider = "google-beta"
ip_version = "IPV4"
prefix_length = 16
address_type = "INTERNAL"
purpose = "VPC_PEERING"
network = "${google_compute_network.my_network.self_link}"
}
## Error occurs on this step
## Error is : google_service_networking_connection.private_vpc_connection: set Service Networking service account as servicenetworking.serviceAgent role on consumer project
resource "google_service_networking_connection" "private_vpc_connection" {
provider = "google-beta"
network = "${google_compute_network.my_network.self_link}"
service = "servicenetworking.googleapis.com"
reserved_peering_ranges = ["${google_compute_global_address.default.name}"]
}
## Database configuration <-- omitted private ip stuff for now as doesn't even get to creation of this, error in previous step
resource "google_sql_database_instance" "my_db" {
depends_on = ["google_service_networking_connection.private_vpc_connection"]
name = "my_db"
project = "${var.project_id}"
database_version = "POSTGRES_9_6"
region = "${var.region}"
lifecycle {
prevent_destroy = true
}
settings {
tier = "db-f1-micro"
backup_configuration {
enabled = true
start_time = "02:00"
}
maintenance_window {
day = 1
hour = 3
update_track = "stable"
}
ip_configuration {
authorized_networks = [
{
name = "office"
value = "${var.my_ip}"
},
]
}
disk_size = 10
availability_type = "ZONAL"
location_preference {
zone = "${var.zone}"
}
}
}
Terraform code to create a Cloud SQL instance with Private IP 有一些错误。第一个是 ${google_compute_network.private_network.self_link} 变量获取网络的完整名称,这意味着类似于 www.googleapis.com/compute/v1/projects/PROJECT-ID/global/networks/testnw2。 google_compute_global_address.private_ip_address.network 字段中不允许使用此值,因此,您需要将 ${google_compute_network.private_network.self_link} 更改为 ${google_compute_network.private_network.name}.
另一个错误是google_sql_database_instance.instance.settings.ip_configuration.private_network中的格式应该是projects/PROJECT_ID/global/networks/NW_ID。所以您需要将字段更改为 projects/[PROJECT_ID]/global/networks/${google_compute_network.private_network.name} 才能工作。
第三个错误,也是您在初始消息中分享的错误,您需要在 Terraform 代码中设置 service account 以获得适当的权限来避免此错误。请检查共享代码的第一行。
第四个错误是您需要使用 google-beta 提供程序而不是 google 默认提供程序来执行此操作
正如我发表的评论中所讨论的那样,我在使用该 Terraform 代码之前看到了 "An Unknown Error occurred" 错误,此错误是指在进行 VPC 对等时出现的错误。我知道解决这个问题很令人沮丧,因为它没有显示任何有用的信息,但如果您在 Google Cloud Platform Support 中打开一个票证,我们将能够使用我们的内部工具检查真正的错误。
正如所承诺的,这是我用来创建专用网络并将其附加到创建时的 Google 云 SQL 实例的代码。
provider "google-beta" {
credentials = "${file("CREDENTIALS.json")}"
project = "PROJECT-ID"
region = "us-central1"
}
resource "google_compute_network" "private_network" {
name = "testnw"
}
resource "google_compute_global_address" "private_ip_address" {
provider="google-beta"
name = "${google_compute_network.private_network.name}"
purpose = "VPC_PEERING"
address_type = "INTERNAL"
prefix_length = 16
network = "${google_compute_network.private_network.name}"
}
resource "google_service_networking_connection" "private_vpc_connection" {
provider="google-beta"
network = "${google_compute_network.private_network.self_link}"
service = "servicenetworking.googleapis.com"
reserved_peering_ranges = ["${google_compute_global_address.private_ip_address.name}"]
}
resource "google_sql_database_instance" "instance" {
provider="google-beta"
depends_on = ["google_service_networking_connection.private_vpc_connection"]
name = "privateinstance"
region = "us-central1"
settings {
tier = "db-f1-micro"
ip_configuration {
ipv4_enabled = "false"
private_network = "projects/PROJECT-ID/global/networks/${google_compute_network.private_network.name}"
}
}
}
似乎 terraform 在某些时候弄乱了帐户的权限,并从所有用户中删除了 servicenetworking.serviceAgent 角色。
禁用然后重新启用服务网络 API 通过重置系统所有用户的权限解决了问题。
好像也和错误有关
Error: googleapi: Error 400: Precondition check failed., failedPrecondition
至于这两个错误,我禁用并启用了网络 API,它又开始工作了...
这救了我:
gcloud projects add-iam-policy-binding YOUR_HOST_PROJECT_NAME \
--member=serviceAccount:service-HOST_PROJECT_ACCOUNT_NUMBER@service-networking.iam.gserviceaccount.com \
--role=roles/servicenetworking.serviceAgent
https://thedataguy.in/cloudsql-shared-vpc-private-ip-and-servicenetworking.serviceagent-role/