您的位置: 首页  >  技术问答  >  Cloud Build无法部署到Google App Engine-您无权充当@ appspot.gserviceaccount.com

Cloud Build无法部署到Google App Engine-您无权充当@ appspot.gserviceaccount.com

分类: 技术问答 2022-03-17 20:35:27

Cloud Build无法部署到Google App Engine-您无权充当@ appspot.gserviceaccount.com

问题描述:

今天早上,我进行了一次PR,该PR在我的登台环境中触发了Cloud Build,但是未能将结果部署到GAE.

This morning I made a PR which triggered a Cloud Build for my staging enviroment but failed to deploy the results to GAE.

错误如下:

错误:(gcloud.app.deploy)PERMISSION_DENIED:您无权充当"[redacted] @ appspot.gserviceaccount.com" 步骤#4:-'@type':type.googleapis.com/google.rpc.ResourceInfo 步骤#4:说明:您无权充当此服务帐户. 步骤#4:resourceName:[已编辑] @ appspot.gserviceaccount.com 步骤#4:resourceType:serviceAccount

ERROR: (gcloud.app.deploy) PERMISSION_DENIED: You do not have permission to act as '[redacted]@appspot.gserviceaccount.com' Step #4: - '@type': type.googleapis.com/google.rpc.ResourceInfo Step #4: description: You do not have permission to act as this service account. Step #4: resourceName: [redacted]@appspot.gserviceaccount.com Step #4: resourceType: serviceAccount

当我查看 https://console.cloud.google时. com/cloud-build/settings/service-account 云构建具有以下服务帐户权限已启用:

When I look at https://console.cloud.google.com/cloud-build/settings/service-account Cloud build has the follow service account permissions ENABLED:

  • App Engine管理员
  • Cloud KMS

检查 https://console.cloud.google.com/iam-admin/iam 我可以看到cloudbuild服务帐户具有以下角色:

Checking https://console.cloud.google.com/iam-admin/iam I can see that the cloudbuild service account has the following roles:

  • App Engine管理员
  • App Engine Deployer
  • 云构建服务帐户
  • Cloud KMS CryptoKey Decrypter

根据提供的错误,看来您需要向服务帐户中添加一些委托.这意味着该服务帐户可以代表另一个服务帐户执行操作.不要在项目级别添加此权限,因为它会带来安全风险!在下面,您可以找到有关如何在另一个服务帐户上添加roles/iam.serviceAccountUser的示例.

According to the provided error, it seems like you need to add some delegation to your service account. This means that the service account can act on behalf of another service account. Do not add this permission on the project level, since it poses a security risk! Below you can find an example of how to add roles/iam.serviceAccountUser on another service account.

PROJECT_ID=xxxxxx

PROJECT_NUMBER=$(gcloud projects list \
  --format="value(projectNumber)" \
  --filter="projectId=${PROJECT_ID}")

gcloud iam service-accounts add-iam-policy-binding \
    ${PROJECT_ID}@appspot.gserviceaccount.com \
    --member=serviceAccount:${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com \
    --role=roles/iam.serviceAccountUser \
    --project=${PROJECT_ID}

总而言之,服务帐户必须具有iam.serviceAccounts.actAs权限,该权限包含在roles/iam.serviceAccountUser角色中.可以在此处找到.

To summarize, the service account must have the iam.serviceAccounts.actAs permission, which is included in the roles/iam.serviceAccountUserrole. Updated Google documentation can be found here.

相关推荐