我试图部署我的Django网站与云运行,如在谷歌云平台的文档中所述,但我得到错误Error 403: 934957811880@cloudbuild.gserviceaccount.com does not have storage.objects.get access to the Google Cloud Storage object., forbidden
时运行命令gcloud builds submit --config cloudmigrate.yaml --substitutions _INSTANCE_NAME=trouwfeestwebsite-db,_REGION=europe-west6
命令的完整输出是:(错误在底部)
Creating temporary tarball archive of 119 file(s) totalling 23.2 MiB before compression.
Some files were not included in the source upload.
Check the gcloud log [C:UsersSanderAppDataRoaminggcloudlogs2021.10.2320.53.18.638301.log] t
o see which files and the contents of the
default gcloudignore file used (see `$ gcloud topic gcloudignore` to learn
more).
Uploading tarball of [.] to [gs://trouwfeestwebsite_cloudbuild/source/1635015198.74424-eca822c138ec
48878f292b9403f99e83.tgz]
ERROR: (gcloud.builds.submit) INVALID_ARGUMENT: could not resolve source: googleapi: Error 403: 934957811880@cloudbuild.gserviceaccount.com does not have storage.objects.get access to the Google Cloud Storage object., forbidden
在我的存储桶级别上,我授予934957811880@cloudbuild.gserviceaccount.com存储对象查看器的权限,正如我在https://cloud.google.com/storage/docs/access-control/iam-roles上看到的,这涵盖了storage.objects.get
访问。我还尝试通过授予存储对象管理和存储管理。
我还添加了"Viewer"在IAM级别(https://console.cloud.google.com/iam-admin/iam)的角色为934957811880@cloudbuild.gserviceaccount.com,如https://stackoverflow.com/a/68303613/5433896和https://github.com/google-github-actions/setup-gcloud/issues/105所建议的,但它似乎是可疑的,我给帐户如此广泛的作用。
我在Cloud Build permissions选项卡中启用了Cloud run: https://console.cloud.google.com/cloud-build/settings/service-account?project=trouwfeestwebsite
有了这些更改,当运行gcloud build submit命令时,我仍然得到相同的错误。
我不明白在凭据/身份验证方面我可能做错了什么(https://stackoverflow.com/a/68293734/5433896)。我没有更改我的谷歌帐户密码,也没有撤销该帐户对谷歌云SDK的权限,因为我初始化了该SDK。
你知道我错过了什么吗?
我的cloudmigrate.yaml
的内容是:
steps:
- id: "build image"
name: "gcr.io/cloud-builders/docker"
args: ["build", "-t", "gcr.io/${PROJECT_ID}/${_SERVICE_NAME}", "."]
- id: "push image"
name: "gcr.io/cloud-builders/docker"
args: ["push", "gcr.io/${PROJECT_ID}/${_SERVICE_NAME}"]
- id: "apply migrations"
name: "gcr.io/google-appengine/exec-wrapper"
args:
[
"-i",
"gcr.io/$PROJECT_ID/${_SERVICE_NAME}",
"-s",
"${PROJECT_ID}:${_REGION}:${_INSTANCE_NAME}",
"-e",
"SETTINGS_NAME=${_SECRET_SETTINGS_NAME}",
"--",
"python",
"manage.py",
"migrate",
]
- id: "collect static"
name: "gcr.io/google-appengine/exec-wrapper"
args:
[
"-i",
"gcr.io/$PROJECT_ID/${_SERVICE_NAME}",
"-s",
"${PROJECT_ID}:${_REGION}:${_INSTANCE_NAME}",
"-e",
"SETTINGS_NAME=${_SECRET_SETTINGS_NAME}",
"--",
"python",
"manage.py",
"collectstatic",
"--verbosity",
"2",
"--no-input",
]
substitutions:
_INSTANCE_NAME: trouwfeestwebsite-db
_REGION: europe-west6
_SERVICE_NAME: invites-service
_SECRET_SETTINGS_NAME: django_settings
images:
- "gcr.io/${PROJECT_ID}/${_SERVICE_NAME}"
非常感谢你的帮助。
解决了我的问题。
-
DazWilkin说得对:
它不正确|无法引用桶
(评论投票,谢谢!!)。在我的秘密(配置在秘密管理器;或者,您也可以将其放在项目根文件夹级别的.env文件中,并确保不将该文件排除在.gcloudignore文件中进行部署设置:
GS_BUCKET_NAME=trouwfeestwebsite_sasa-trouw-bucket
(项目ID +下划线+存储桶ID)代替
GS_BUCKET_NAME=sasa-trouw-bucket
虽然教程实际上说我必须设置第一个,但我设置了后者,因为我发现下划线分割很奇怪,在教程中我没有看到类似的东西,我认为这是教程中的错误。
调整
GS_BUCKET_NAME
更改了gcloud构建提交到:Creating temporary tarball archive of 412 file(s) totalling 41.6 MiB before compression. Uploading tarball of [.] to [gs://trouwfeestwebsite_cloudbuild/source/1635063996.982304-d33fef2af77a4744a3bb45f02da8476b.tgz] ERROR: (gcloud.builds.submit) PERMISSION_DENIED: service account "934957811880@cloudbuild.gserviceaccount.com" has insufficient permission to execute the build on project "trouwfeestwebsite"
这意味着至少现在找到了桶,只缺少一个权限。
编辑(几个小时后):我注意到这个
GS_BUCKET_NAME=trouwfeestwebsite_sasa-trouw-bucket
(项目ID +下划线+存储桶ID)设置在部署的后期阶段引起了麻烦,当部署静态文件(cloudmigration .yaml的最后一步)。这似乎对两者都有效(请注意,项目ID不再在GS_BUCKET_NAME中,而是在其单独的环境变量中):DATABASE_URL=postgres://myuser:mypassword@//cloudsql/mywebsite:europe-west6:mywebsite-db/mydb GS_PROJECT_ID=trouwfeestwebsite GS_BUCKET_NAME=sasa-trouw-bucket SECRET_KEY=my123Very456Long789Secret0Key
-
然后,似乎真的有一个权限问题:
-
为了完整起见,之后,我尝试添加https://stackoverflow.com/a/55635575/5433896中所述的权限,但它并没有阻止我在问题中报告的错误。
-
这个答案帮助了我:https://stackoverflow.com/a/33923292/5433896。=比;在cloudbuild服务帐户上设置
Editor
角色有助于gcloud构建提交命令继续其进程,而不会抛出权限错误。
-
-
如果你有同样的问题:我认为我的问题中提到的一些事情也可以帮助你-例如,我认为这样做可能也很重要:
我在云构建权限选项卡中启用了云运行:https://console.cloud.google.com/cloud-build/settings/service-account?project=trouwfeestwebsite