gcloud 构建提交 Django 网站导致错误"没有 storage.objects.get access"



我试图部署我的Django网站与云运行,如在谷歌云平台的文档中所述,但我得到错误Error 403: 934957811880@cloudbuild.gserviceaccount.com does not have storage.objects.get access to the Google Cloud Storage object., forbidden时运行命令gcloud builds submit --config cloudmigrate.yaml --substitutions _INSTANCE_NAME=trouwfeestwebsite-db,_REGION=europe-west6

命令的完整输出是:(错误在底部)

Creating temporary tarball archive of 119 file(s) totalling 23.2 MiB before compression.
Some files were not included in the source upload.
Check the gcloud log [C:UsersSanderAppDataRoaminggcloudlogs2021.10.2320.53.18.638301.log] t
o see which files and the contents of the
default gcloudignore file used (see `$ gcloud topic gcloudignore` to learn
more).
Uploading tarball of [.] to [gs://trouwfeestwebsite_cloudbuild/source/1635015198.74424-eca822c138ec
48878f292b9403f99e83.tgz]
ERROR: (gcloud.builds.submit) INVALID_ARGUMENT: could not resolve source: googleapi: Error 403: 934957811880@cloudbuild.gserviceaccount.com does not have storage.objects.get access to the Google Cloud Storage object., forbidden

在我的存储桶级别上,我授予934957811880@cloudbuild.gserviceaccount.com存储对象查看器的权限,正如我在https://cloud.google.com/storage/docs/access-control/iam-roles上看到的,这涵盖了storage.objects.get访问。我还尝试通过授予存储对象管理和存储管理。

我还添加了"Viewer"在IAM级别(https://console.cloud.google.com/iam-admin/iam)的角色为934957811880@cloudbuild.gserviceaccount.com,如https://stackoverflow.com/a/68303613/5433896和https://github.com/google-github-actions/setup-gcloud/issues/105所建议的,但它似乎是可疑的,我给帐户如此广泛的作用。

我在Cloud Build permissions选项卡中启用了Cloud run: https://console.cloud.google.com/cloud-build/settings/service-account?project=trouwfeestwebsite

有了这些更改,当运行gcloud build submit命令时,我仍然得到相同的错误。

我不明白在凭据/身份验证方面我可能做错了什么(https://stackoverflow.com/a/68293734/5433896)。我没有更改我的谷歌帐户密码,也没有撤销该帐户对谷歌云SDK的权限,因为我初始化了该SDK。

你知道我错过了什么吗?

我的cloudmigrate.yaml的内容是:

steps:
- id: "build image"
name: "gcr.io/cloud-builders/docker"
args: ["build", "-t", "gcr.io/${PROJECT_ID}/${_SERVICE_NAME}", "."]
- id: "push image"
name: "gcr.io/cloud-builders/docker"
args: ["push", "gcr.io/${PROJECT_ID}/${_SERVICE_NAME}"]
- id: "apply migrations"
name: "gcr.io/google-appengine/exec-wrapper"
args:
[
"-i",
"gcr.io/$PROJECT_ID/${_SERVICE_NAME}",
"-s",
"${PROJECT_ID}:${_REGION}:${_INSTANCE_NAME}",
"-e",
"SETTINGS_NAME=${_SECRET_SETTINGS_NAME}",
"--",
"python",
"manage.py",
"migrate",
]
- id: "collect static"
name: "gcr.io/google-appengine/exec-wrapper"
args:
[
"-i",
"gcr.io/$PROJECT_ID/${_SERVICE_NAME}",
"-s",
"${PROJECT_ID}:${_REGION}:${_INSTANCE_NAME}",
"-e",
"SETTINGS_NAME=${_SECRET_SETTINGS_NAME}",
"--",
"python",
"manage.py",
"collectstatic",
"--verbosity",
"2",
"--no-input",
]
substitutions:
_INSTANCE_NAME: trouwfeestwebsite-db
_REGION: europe-west6
_SERVICE_NAME: invites-service
_SECRET_SETTINGS_NAME: django_settings
images:
- "gcr.io/${PROJECT_ID}/${_SERVICE_NAME}"

非常感谢你的帮助。

解决了我的问题。

  1. DazWilkin说得对:

    它不正确|无法引用桶

    (评论投票,谢谢!!)。在我的秘密(配置在秘密管理器;或者,您也可以将其放在项目根文件夹级别的.env文件中,并确保不将该文件排除在.gcloudignore文件中进行部署设置:

    GS_BUCKET_NAME=trouwfeestwebsite_sasa-trouw-bucket(项目ID +下划线+存储桶ID)

    代替GS_BUCKET_NAME=sasa-trouw-bucket

    虽然教程实际上说我必须设置第一个,但我设置了后者,因为我发现下划线分割很奇怪,在教程中我没有看到类似的东西,我认为这是教程中的错误。

    调整GS_BUCKET_NAME更改了gcloud构建提交到:

    Creating temporary tarball archive of 412 file(s) totalling 41.6 MiB before compression.
    Uploading tarball of [.] to [gs://trouwfeestwebsite_cloudbuild/source/1635063996.982304-d33fef2af77a4744a3bb45f02da8476b.tgz]
    ERROR: (gcloud.builds.submit) PERMISSION_DENIED: service account "934957811880@cloudbuild.gserviceaccount.com" has insufficient permission to execute the build on project "trouwfeestwebsite"
    

    这意味着至少现在找到了桶,只缺少一个权限。

    编辑(几个小时后):我注意到这个GS_BUCKET_NAME=trouwfeestwebsite_sasa-trouw-bucket(项目ID +下划线+存储桶ID)设置在部署的后期阶段引起了麻烦,当部署静态文件(cloudmigration .yaml的最后一步)。这似乎对两者都有效(请注意,项目ID不再在GS_BUCKET_NAME中,而是在其单独的环境变量中):

    DATABASE_URL=postgres://myuser:mypassword@//cloudsql/mywebsite:europe-west6:mywebsite-db/mydb
    GS_PROJECT_ID=trouwfeestwebsite
    GS_BUCKET_NAME=sasa-trouw-bucket
    SECRET_KEY=my123Very456Long789Secret0Key
    
  2. 然后,似乎真的有一个权限问题:

    • 为了完整起见,之后,我尝试添加https://stackoverflow.com/a/55635575/5433896中所述的权限,但它并没有阻止我在问题中报告的错误。

    • 这个答案帮助了我:https://stackoverflow.com/a/33923292/5433896。=比;在cloudbuild服务帐户上设置Editor角色有助于gcloud构建提交命令继续其进程,而不会抛出权限错误。

  3. 如果你有同样的问题:我认为我的问题中提到的一些事情也可以帮助你-例如,我认为这样做可能也很重要:

    我在云构建权限选项卡中启用了云运行:https://console.cloud.google.com/cloud-build/settings/service-account?project=trouwfeestwebsite

相关内容

  • 没有找到相关文章

最新更新