0

I've got a node.js application trying to create an Instance Group Manager. It's running on an instance with a service account attached to the instance with scopes compute-rw and cloud-platform. This service account has a role with the following permissions:

includedPermissions:
- compute.autoscalers.create
- compute.autoscalers.get
- compute.disks.create
- compute.images.get
- compute.images.useReadOnly
- compute.instanceGroupManagers.create
- compute.instanceGroupManagers.get
- compute.instanceGroupManagers.use
- compute.instanceTemplates.create
- compute.instanceTemplates.get
- compute.instanceTemplates.useReadOnly
- compute.instances.create
- compute.instances.setMetadata
- compute.instances.setTags
- compute.networks.get
- compute.subnetworks.get
- compute.subnetworks.use

Looking at the audit log for resource.type="gce_instance_group_manager" I can see in first log entry:

ProtoPayload.authorizationInfo:
  - granted: true
    permission: compute.instanceGroupManagers.create
    resourceAttributes:
      name: projects/my-project/zones/us-east1-b/instanceGroupManagers/resource-name
      service: compute
      type: compute.instanceGroupManagers
  - granted: true
    permission: compute.instanceTemplates.useReadOnly
    resourceAttributes:
      name: projects/my-project/global/instanceTemplates/resource-name
      service: compute
      type: compute.instanceTemplates
  - granted: true
    permission: compute.instances.create
    resourceAttributes:
      name: projects/my-project/zones/us-east1-b/instances/resource-name-0000
      service: compute
      type: compute.instances
  - granted: true
    permission: compute.disks.create
    resourceAttributes:
      name: projects/my-project/zones/us-east1-b/disks/resource-name-0000
      service: compute
      type: compute.disks
  - granted: true
    permission: compute.images.useReadOnly
    resourceAttributes:
      name: projects/my-project/global/images/resource-name-image
      service: compute
      type: compute.images
  - granted: true
    permission: compute.subnetworks.use
    resourceAttributes:
      name: projects/my-project/regions/us-east1/subnetworks/resource-name-subnet
      service: compute
      type: compute.subnetworks
  - granted: true
    permission: compute.instances.setMetadata
    resourceAttributes:
      name: projects/my-project/zones/us-east1-b/instances/resource-name-0000
      service: compute
      type: compute.instances
  - granted: true
    permission: compute.instances.setTags
    resourceAttributes:
      name: projects/my-project/zones/us-east1-b/instances/resource-name-0000
      service: compute
      type: compute.instances

I get 200 OK back with status: "PENDING" in body.

Only when looking through the audit logs do I see a log entry with status.message: INVALID_PARAMETER with no explanation and then another log entry with:

jsonPayload.error:
  - code: SERVICE_ACCOUNT_ACCESS_DENIED
    detail_message: ''
    location: ''

When attaching the Editor role to the service account I can create the Instance Group Manager so there seem to be some permissions missing. The logs show no permissions that were not granted so what could be missing?

Raw logs

4

1 回答 1

1

原来 instanceTemplate 将服务帐户附加到实例。因为iam.serviceAccountUser创建实例组管理器的实例使用的服务帐户需要该角色。

在我的情况下,不需要服务帐户,因此我将其从实例模板中删除,并且上述权限有效。

于 2018-08-16T13:39:01.303 回答