我正在关注Google GKE 和 SQL 与 terraform https://medium.com/@mudrii/google-gke-and-sql-with-terraform-294fb84061教程
但我无法创建一个google_project.project。
我已经尝试过作为项目所有者和教程中描述的服务。两次尝试均以以下错误结束:
Error: Error applying plan:
1 error(s) occurred:
* google_project.project: 1 error(s) occurred:
* google_project.project: error creating project terraform-dev-357aa670
(terraform-dev): googleapi: Error 403: User is not authorized., forbidden.
If you received a 403 error, make sure
you have the `roles/resourcemanager.projectCreator` permission
我认为我作为项目所有者拥有正确的权限,但显然没有。
以下是我创建服务帐户的方法:
$ gcloud organizations add-iam-policy-binding ${TF_VAR_org_id} \ (gke_my-domain-218910_europe-west1-b_my-domain-vpc-native/default)
> --member serviceAccount:terraform@${TF_ADMIN}.iam.gserviceaccount.com \
> --role roles/resourcemanager.projectCreator
Updated IAM policy for organization [00000].
bindings:
- members:
- domain:my-domain.no
role: roles/billing.creator
- members:
- serviceAccount:[email protected] /cdn-cgi/l/email-protection
- serviceAccount:[email protected] /cdn-cgi/l/email-protection
role: roles/billing.user
- members:
- domain:min-familie.no
- serviceAccount:[email protected] /cdn-cgi/l/email-protection
- serviceAccount:[email protected] /cdn-cgi/l/email-protection
role: roles/resourcemanager.projectCreator
etag: BwWJxJTDnQs=
version: 19d
“手动”创建项目是可行的。$ gcloud projects create ${TF_ADMIN}
.
有什么想法可能是错的吗?
为了创建文件夹和项目,您的帐户需要具有相应的权限,当然您需要确保您使用的是正确的帐户。
首先确保用户拥有正确的权限:
gcloud organizations add-iam-policy-binding YOUR_ORGANIZATION_ID --member=user:[email protected] /cdn-cgi/l/email-protection --role=roles/billing.admin
gcloud organizations add-iam-policy-binding YOUR_ORGANIZATION_ID --member=user:[email protected] /cdn-cgi/l/email-protection --role=roles/resourcemanager.organizationAdmin
gcloud organizations add-iam-policy-binding YOUR_ORGANIZATION_ID --member=user:[email protected] /cdn-cgi/l/email-protection --role=roles/resourcemanager.folderCreator
gcloud organizations add-iam-policy-binding YOUR_ORGANIZATION_ID --member=user:[email protected] /cdn-cgi/l/email-protection --role=roles/resourcemanager.projectCreator
然后确保您设置应用程序默认值并登录到此帐户:
gcloud auth application-default login
设置 API 调用默认计费的项目。阅读更多相关内容here https://cloud.google.com/sdk/gcloud/reference/auth/application-default/set-quota-project。如果不设置此项,运行时可能会出现配额错误terraform apply
.
gcloud auth application-default set-quota-project SOME_BILLING_PROJECT
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)