云函数无权对同一计费账户下的其他项目实施支出限额
Cloud function doesn't have permission to other projects under the same billing account to implement a spending limit
我正在按照此处的文档 https://cloud.google.com/appengine/docs/managing-costs 在达到支出限额时禁用使用云函数的 App Engine。
我想为与同一计费帐户相关联的所有项目禁用 App Engine,文档说这应该在以下注释中起作用
Note: The source code assumes that the function you are creating and the app you want to disable are in the same Google Cloud project. If the function and the app are in separate projects, change the source code so APP_NAME identifies the project that contains the app you want to disable.
但是我得到这个错误
Error: function terminated. Recommended action: inspect logs for
termination reason. Details: <HttpError 403 when requesting
https://appengine.googleapis.com/v1/apps/other-project?alt=json
returned "The caller does not have permission">
我还根据文档验证了我正在使用具有管理员角色的 App Engine 默认服务帐户
Select a service account that has the App Engine Admin role. The App Engine default service account has this role by default.
我修改了测试的例子,基本上就是这样
import base64
import json
import os
from googleapiclient import discovery
APP_NAME = os.getenv('GCP_PROJECT')
def limit_use_appengine(data, context):
pubsub_data = base64.b64decode(data['data']).decode('utf-8')
pubsub_json = json.loads(pubsub_data)
cost_amount = pubsub_json['costAmount']
budget_amount = pubsub_json['budgetAmount']
if cost_amount <= budget_amount:
print(f'No action necessary. (Current cost: {cost_amount})')
appengine = discovery.build(
'appengine',
'v1',
cache_discovery=False
)
apps = appengine.apps()
# for testing
display_status(apps, APP_NAME) # works fine
display_status(apps, "billing-account-project-name") # also works fine
display_status(apps, "other-project") # permission error
return
appengine = discovery.build(
'appengine',
'v1',
cache_discovery=False
)
apps = appengine.apps()
check_app(apps, "APP_NAME")
check_app(apps, "other-project")
def check_app(apps, appName):
# Get the target app's serving status
target_app = apps.get(appsId=appName).execute()
current_status = target_app['servingStatus']
# Disable target app, if necessary
if current_status == 'SERVING':
print(f'Attempting to disable app {appName}...')
body = {'servingStatus': 'USER_DISABLED'}
apps.patch(appsId=appName, updateMask='serving_status', body=body).execute()
def display_status(apps, appName):
target_app = apps.get(appsId=appName).execute()
current_status = target_app['servingStatus']
print(f'Serving status for {appName} is {current_status}')
我错过了什么?
服务帐户继承权限或被分配到项目的权限。计费帐户不会影响服务帐户的权限。
解决方案:在项目中为出现权限错误的服务帐户分配权限。如果您使用的是组织,请分配更高的权限,以便服务帐户继承对项目的权限。
我正在按照此处的文档 https://cloud.google.com/appengine/docs/managing-costs 在达到支出限额时禁用使用云函数的 App Engine。
我想为与同一计费帐户相关联的所有项目禁用 App Engine,文档说这应该在以下注释中起作用
Note: The source code assumes that the function you are creating and the app you want to disable are in the same Google Cloud project. If the function and the app are in separate projects, change the source code so APP_NAME identifies the project that contains the app you want to disable.
但是我得到这个错误
Error: function terminated. Recommended action: inspect logs for termination reason. Details: <HttpError 403 when requesting https://appengine.googleapis.com/v1/apps/other-project?alt=json returned "The caller does not have permission">
我还根据文档验证了我正在使用具有管理员角色的 App Engine 默认服务帐户
Select a service account that has the App Engine Admin role. The App Engine default service account has this role by default.
我修改了测试的例子,基本上就是这样
import base64
import json
import os
from googleapiclient import discovery
APP_NAME = os.getenv('GCP_PROJECT')
def limit_use_appengine(data, context):
pubsub_data = base64.b64decode(data['data']).decode('utf-8')
pubsub_json = json.loads(pubsub_data)
cost_amount = pubsub_json['costAmount']
budget_amount = pubsub_json['budgetAmount']
if cost_amount <= budget_amount:
print(f'No action necessary. (Current cost: {cost_amount})')
appengine = discovery.build(
'appengine',
'v1',
cache_discovery=False
)
apps = appengine.apps()
# for testing
display_status(apps, APP_NAME) # works fine
display_status(apps, "billing-account-project-name") # also works fine
display_status(apps, "other-project") # permission error
return
appengine = discovery.build(
'appengine',
'v1',
cache_discovery=False
)
apps = appengine.apps()
check_app(apps, "APP_NAME")
check_app(apps, "other-project")
def check_app(apps, appName):
# Get the target app's serving status
target_app = apps.get(appsId=appName).execute()
current_status = target_app['servingStatus']
# Disable target app, if necessary
if current_status == 'SERVING':
print(f'Attempting to disable app {appName}...')
body = {'servingStatus': 'USER_DISABLED'}
apps.patch(appsId=appName, updateMask='serving_status', body=body).execute()
def display_status(apps, appName):
target_app = apps.get(appsId=appName).execute()
current_status = target_app['servingStatus']
print(f'Serving status for {appName} is {current_status}')
我错过了什么?
服务帐户继承权限或被分配到项目的权限。计费帐户不会影响服务帐户的权限。
解决方案:在项目中为出现权限错误的服务帐户分配权限。如果您使用的是组织,请分配更高的权限,以便服务帐户继承对项目的权限。