我正在尝试通过云部署管理器将Cloudsq.Client角色添加到服务帐户。我该怎么做?
我发现我可以使用pubsub.v1.topic ResourceType添加原始角色,例如角色/所有者。请参阅官方的Google示例:
resources:
- name: {{ env['name'] }}
type: pubsub.v1.topic
properties:
topic: {{ env['name'] }}
accessControl:
gcpIamPolicy:
bindings:
- role: roles/pubsub.subscriber
members:
- "serviceAccount:$(ref.{{ properties['serviceAccountId'] }}.email)"
,但似乎这与role/cloudsql.client不起作用:它说:
"message":"Role roles/cloudsql.client is not supported for this resource."
我通过API无法为服务帐户创建CloudSQL角色,我很可能必须使用cloudresourcemanager.v1.project资源。但是,仅替换资源也不起作用:
resources:
- name: {{ env['name'] }}
type: cloudresourcemanager.v1.project
properties:
projectId: {{ env['project'] }}
accessControl:
gcpIamPolicy:
bindings:
- role: roles/cloudsql.client
members:
- "serviceAccount:$(ref.{{ properties['serviceAccountId'] }}.email)"
错误:
- code: RESOURCE_ERROR
location: /deployments/test-cluster/resources/cloudsql-client-role
message: '{"ResourceType":"cloudresourcemanager.v1.project","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"Service
accounts cannot create projects without a parent.","status":"PERMISSION_DENIED","statusMessage":"Forbidden","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects","httpMethod":"POST"}}'
我有点卡住了,所以我感谢我能得到的所有帮助!
要解决此操作,您需要在"资源"中使用以下类型:/templates/iam_member/iam_member.py#l30
在服务帐户中添加角色的正确方法是:getiampolicy> setiampolicy
首先,您需要获得策略,然后您能够设定策略,此过程称为"绑定"。
请使用以下模板将角色添加到服务帐户:
https://github.com/googlecloodplatform/deploymentmanager-samples/tree/master/master/community/community/cloud-foundation/templates/iam_member
如果您还有其他问题,我会很乐意为您提供帮助。