文章/答案/技术大牛

发布

社区首页 >问答首页 >(Terraform，GCP)错误400:这个资源不支持角色角色/run.voker.，badRequest

问(Terraform，GCP)错误400:这个资源不支持角色角色/run.voker.，badRequest
EN

Stack Overflow用户

提问于 2022-01-31 13:38:13

回答 1查看 3.1K关注 0票数 3

在GCP上，我尝试将“服务帐户2"作为”服务帐户1“的成员添加到”服务帐户1"中，下面是Terraform代码：

resource "google_service_account" "service_account_1" {
  display_name = "Service Account 1"
  account_id   = "service-account-1"
}

resource "google_service_account" "service_account_2" {
  display_name = "Service Account 2"
  account_id   = "service-account-2"
}

resource "google_service_account_iam_binding" "service_account_iam_binding" {
  service_account_id = google_service_account.service_account_1.name
  role               = "roles/run.invoker"

  members = [
    "serviceAccount:${google_service_account.service_account_2.email}" 
  ]

  depends_on = [
    google_service_account.service_account_1,
    google_service_account.service_account_2
  ]
}

但我在下面发现了一个错误：

将IAM策略应用于服务帐户'projects/myproject-173831/serviceAccounts/service-account-1@myproject-173831.iam.gserviceaccount.com'：错误设置服务帐户的

策略错误: Error 400: Role roles/run.invoker不支持此资源。

我的Terraform代码有错误吗？

google-cloud-platform

terraform

devops

terraform-provider-gcp

google-cloud-iam

回答 1

Stack Overflow用户

发布于 2022-01-31 13:38:13

不支持"roles/run.invoker".的服务帐户因此，当然，服务帐户“服务帐户1"不支持”roles/run.voker“。只有"roles/run.invoker".云运行支持

如果您确实希望将"roles/iam.serviceAccountUser"“服务帐户2"作为”服务帐户1"的成员添加，则可以使用或"roles/iam.serviceAccountAdmin".

"google_service_account_iam_binding"与"roles/iam.serviceAccountUser"

resource "google_service_account_iam_binding" "service_account_iam_binding" {
  service_account_id = google_service_account.service_account_1.name
  role               = "roles/iam.serviceAccountUser" // Here

  members = [
    "serviceAccount:${google_service_account.service_account_2.email}" 
  ]

  depends_on = [
    google_service_account.service_account_1,
    google_service_account.service_account_2
  ]
}

"google_service_account_iam_binding"与"roles/iam.serviceAccountAdmin"

resource "google_service_account_iam_binding" "service_account_iam_binding" {
  service_account_id = google_service_account.service_account_1.name
  role               = "roles/iam.serviceAccountAdmin" // Here

  members = [
    "serviceAccount:${google_service_account.service_account_2.email}" 
  ]

  depends_on = [
    google_service_account.service_account_1,
    google_service_account.service_account_2
  ]
}

此外，您可以将"google_service_account_iam_member"与"roles/iam.serviceAccountUser"或"roles/iam.serviceAccountAdmin"一起使用，而不是"google_service_account_iam_binding".。

"google_service_account_iam_member"与"roles/iam.serviceAccountUser"

resource "google_service_account_iam_member" "service-account-iam_member" {
  service_account_id = google_service_account.service_account_1.name
  role               = "roles/iam.serviceAccountUser"
  member             = "serviceAccount:${google_service_account.service_account_2.email}"

  depends_on = [
    google_service_account.service_account_1,
    google_service_account.service_account_2
  ]
}

"google_service_account_iam_member"与"roles/iam.serviceAccountAdmin"

resource "google_service_account_iam_member" "service-account-iam_member" {
  service_account_id = google_service_account.service_account_1.name
  role               = "roles/iam.serviceAccountAdmin"
  member             = "serviceAccount:${google_service_account.service_account_2.email}"

  depends_on = [
    google_service_account.service_account_1,
    google_service_account.service_account_2
  ]
}

最后，可以将"Service 2"添加到"Service 1"中。

票数 0

页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持

原文链接：

https://stackoverflow.com/questions/70926909

复制

相似问题

问(Terraform，GCP)错误400:这个资源不支持角色角色/run.voker.，badRequest
EN

回答 1

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问(Terraform，GCP)错误400:这个资源不支持角色角色/run.voker.，badRequestEN

回答 1

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问(Terraform，GCP)错误400:这个资源不支持角色角色/run.voker.，badRequest
EN