首页 文章

错误:(gcloud.beta.functions.deploy)... message = [来电者没有权限]

提问于
浏览
2

我正在尝试从此repo部署代码:

https://github.com/anishkny/puppeteer-on-cloud-functions

在Google Cloud Build中 . 我的cloudbuild.yaml文件内容是:

steps:
- name: 'gcr.io/cloud-builders/gcloud'
  args: ['beta', 'functions', 'deploy', 'screenshot', '--trigger-http', '--runtime', 'nodejs8', '--memory', '1024MB']

我已将以下角色授予我的Cloud Build Service帐户(****@cloudbuild.gserviceaccount.com):

  • Cloud Build Service Account

  • Cloud Functions Developer

但是,在我的Cloud Build日志中,我看到以下错误:

starting build "1f04522c-fe60-4a25-a4a8-d70e496e2821"

FETCHSOURCE
Fetching storage object: gs://628906418368.cloudbuild-source.googleusercontent.com/94762cc396ed1bb46e8c5dbfa3fa42550140c2eb-b3cfa476-cb21-45ba-849c-c28423982a0f.tar.gz#1534532794239047
Copying gs://628906418368.cloudbuild-source.googleusercontent.com/94762cc396ed1bb46e8c5dbfa3fa42550140c2eb-b3cfa476-cb21-45ba-849c-c28423982a0f.tar.gz#1534532794239047...
/ [0 files][    0.0 B/  835.0 B]                                                
/ [1 files][  835.0 B/  835.0 B]                                                
Operation completed over 1 objects/835.0 B.                                      
tar: Substituting `.' for empty member name
BUILD
Already have image (with digest): gcr.io/cloud-builders/gcloud
ERROR: (gcloud.beta.functions.deploy) ResponseError: status=[403], code=[Forbidden], message=[The caller does not have permission]
ERROR
ERROR: build step 0 "gcr.io/cloud-builders/gcloud" failed: exit status 1

我错过了什么?

google-cloud-functions google-cloud-build

3 回答

  • 1

    根据Cloud Build documentation,对于 Cloud 功能,您必须将"Project Editor"角色授予您的服务帐户 .

    但是,Cloud Functions documentation指出,除了使用项目编辑器角色之外,您还可以使用"the Cloud Functions Developer role [but you have to] ensure that you have granted the Service Account User role" . 关于服务帐户,它表示有"the CloudFunctions.ServiceAgent role on your project"和"have permissions for trigger sources, such as Pub/Sub or the Cloud Storage bucket triggering your function" .

    由于这些考虑因素,我的理解是省略了文档以指定服务帐户所需的所有角色,并直接指示授予项目编辑器角色 .

    回复于
  • 2

    当(可能) Cloud 功能进入GA时,权限似乎发生了变化 . 另一位客户今天提出了这个问题,我回忆起了你的问题 .

    Cloud Build机器人( ${NUM}@cloudbuild.gserviceaccount.com )还需要是 ${PROJECT-ID}@appspot.gserviceaccount.com 帐户的serviceAccountUser:

    NB 虽然Cloud Build机器人本地部件是项目编号( ${NUM} ),但appspot机器人本地部件是项目ID( ${PROJECT}

    请试试:

    PROJECT=[[YOUR-PROJECT-ID]]

NUM=$(gcloud projects describe $PROJECT --format='value(projectNumber)')

gcloud iam service-accounts add-iam-policy-binding \
${PROJECT}@appspot.gserviceaccount.com \
--member=serviceAccount:${NUM}@cloudbuild.gserviceaccount.com \
--role=roles/iam.serviceAccountUser \
--project=${PROJECT}

    让我知道!

    回复于
  • 1

    在阅读了相当多的文档后,我也在努力解决这个问题 . 上述答案的组合让我走上正轨 . 基本上,需要以下内容:

    PROJECT=[PROJECT-NAME]

NUM=$(gcloud projects describe $PROJECT --format='value(projectNumber)')

gcloud iam service-accounts add-iam-policy-binding \
${PROJECT}@appspot.gserviceaccount.com \
--member=serviceAccount:${NUM}@cloudbuild.gserviceaccount.com \
--role=roles/iam.serviceAccountUser \
--project=${PROJECT}

gcloud iam service-accounts add-iam-policy-binding \
    ${PROJECT}@[INSERT_YOUR_IAM_OWNER_SERVICE_ACCOUNT_NAME].iam.gserviceaccount.com \
    --member='serviceAccount:service-${NUM}@gcf-admin-robot.iam.gserviceaccount.com' \
    --role='roles/iam.serviceAccountUser'

    此外,我通过IAM控制台将“Cloud Functions Developer”角色添加到我的@ cloudbuild.gserviceaccount.com帐户 .

    回复于

相关问题