6

I am trying to create a bucket using Deployment manager but when I want to create the deployment, I get the following error:

ERROR: (gcloud.deployment-manager.deployments.create) Error in Operation [operation-1525606425901-56b87ed1537c9-70ca4aca-72406eee]: errors:
- code: RESOURCE_ERROR
  location: /deployments/posts/resources/posts
  message: '{"ResourceType":"storage.v1.bucket","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"errors":[{"domain":"global","message":"myprojectid@cloudservices.gserviceaccount.com
    does not have storage.buckets.get access to posts.","reason":"forbidden"}],"message":"myprojectid@cloudservices.gserviceaccount.com
    does not have storage.buckets.get access to posts.","statusMessage":"Forbidden","requestPath":"https://www.googleapis.com/storage/v1/b/posts","httpMethod":"GET","suggestion":"Consider
    granting permissions to myprojectid@cloudservices.gserviceaccount.com"}}'

If I understand it correctly, the deployment manager uses a service account (as described in the message) to actually create all my resources. I've checked IAM and made sure that the service role (myprojectid@cloudservices.gserviceaccount.com) does have access as "Editor" and even added "Storage Admin" (which includes storage.buckets.get) to be extra sure. However, I still get the same error message.

Am I assigning the permissions to the wrong IAM user / what am I doing wrong?

command used:

gcloud deployment-manager deployments create posts --config posts.yml

my deployment template:

bucket.jinja

resources:
- name: {{ properties['name'] }}
  type: storage.v1.bucket
  properties:
    name: {{ properties['name'] }}
    location: europe-west1
    lifecycle:
      rule:
      - action:
          type: Delete
        condition:
          age: 30
          isLive: true
    labels:
      datatype: {{ properties['datatype'] }}
    storageClass: REGIONAL

posts.yml

imports:
  - path: bucket.jinja

resources:
- name: posts
  type: bucket.jinja
  properties:
    name: posts
    datatype: posts
4

1 回答 1

6

我成功地测试了您的代码,我认为问题在于您试图创建/更新属于您的服务帐户无权的不同项目的不同用户拥有的存储桶。

因此,请尝试重新部署更改可能是唯一名称的名称,并让我知道这是否可以解决问题。在某些情况下,这可能是一个问题,因为您选择的名称很长,或者已经承担了风险。

请注意,您必须更改存储桶的名称,因为它在所有用户的所有项目中必须是唯一的。

这似乎是一个过高的要求,但它可以创建静态网站或使用标准 URL 引用文件:

  • https://storage.googleapis.com/nomebucket/folder/nomefile

从跟踪错误我认为这是问题所在,您正在尝试创建一个不存在且您不拥有的存储桶。

请注意,如果您从服务帐户中删除权限,您不会收到告诉您服务帐户对存储桶没有任何权力的消息:

xxx@cloudservices.gserviceaccount.com does not have storage.buckets.get access to posts.

但相反,一条消息指出服务帐户对项目没有权力:

Service account xxx@cloudservices.gserviceaccount.com is not authorized
    to take actions for project xxx. Please add xxx@cloudservices.gserviceaccount.com
    as an editor under project xxx using Google Developers Console

请注意,如果您尝试创建您已经拥有的存储桶,则没有问题。

$ gcloud deployment-manager deployments create posts22 --config posts.yml                                                                                             
The fingerprint of the deployment is xxx==
Waiting for create [operation-xxx-xxx-xxx-xxx]...done.
Create operation operation-xxx-xxx-xxx-xxx completed successfully.
NAME                  TYPE               STATE      ERRORS  INTENT
nomebuckettest4536  storage.v1.bucket  COMPLETED  []
于 2018-05-22T08:36:49.353 回答