创建作业错误:谷歌越级:错误403:缺乏IAM权限

Question

目前，我在开发环境中部署这个Cloud资源时会遇到以下错误。

1. Step #1 - "Terraform plan": │ Error: Error creating Job: googleapi:
    Error 403: The principal (user or service account) lacks IAM
    permission "cloudscheduler.jobs.create" for the resource
    "projects/whg-dev/locations/us-east1" (or the resource may not
    exist).
        
        Step #1 - "Terraform plan": │ 
        
        Step #1 - "Terraform plan": │   with google_cloud_scheduler_job.scheduler,
        
        Step #1 - "Terraform plan": │   on scheduler_template.tf line 11, in resource "google_cloud_scheduler_job" "scheduler":
        
        Step #1 - "Terraform plan": │   11: resource "google_cloud_scheduler_job" "scheduler" {
        
        Step #1 - "Terraform plan": │

在我的TF配置下，我找不到丢失的东西.

# Google-Cloud-Scheduler

resource "google_project_service" "scheduler_api" {
  service            = "cloudscheduler.googleapis.com"
  provider           = google-beta
  project            = var.project_id
  disable_on_destroy = false
}


resource "google_cloud_scheduler_job" "scheduler" {
  name               = "NotificationsRemindersBatch-test"
  description        = "test http job"
  schedule           = "*/30 * * * *"
  time_zone          = "Etc/UTC"
  region             = "us-east1"
  attempt_deadline   = "180s"
  project            = var.project_id
  depends_on         = [google_project_service.scheduler_api]

  retry_config {
    retry_count = 1
  }

  http_target {
    http_method      = "POST"
    uri              = "https://notifications-reminders-service-v35463ja-ue.a.run.app/"
    body             = base64encode("{\"foo\":\"bar\"}")
  }
}

角色配置和授权

这些配置在不同的存储库中设置为main.tf，这是设置：

resource "google_cloud_run_service_iam_member" "authorize" {
  location = google_cloud_run_service.main.location
  project  = google_cloud_run_service.main.project
  service  = google_cloud_run_service.main.name
  role     = "roles/run.invoker"
  member   = "allUsers"
}

resource "google_project_iam_member" "project" {
    count   = length(var.roles)
  project = google_cloud_run_service.main.project
  role    = var.roles[count.index]
  member  = "serviceAccount:${google_service_account.sa.email}"
}

在变量文件夹中也创建了一个“角色”参数。

希望这能有所帮助。

Answer 1

正如@John所评论的那样，您可以添加一个服务帐户，以便向GCP发出请求。

为了针对GCP提出请求，您需要进行身份验证，以证明是您发出了请求。

此外，我成功地复制了您的错误，并通过创建包含Cloud Scheduler Admin角色的服务帐户成功地解决了错误。您可以跟踪关于如何使用创建一个服务帐户，然后下载密钥的官方文档

然后通过环境变量 像这样传递服务帐户密钥。

export GOOGLE_APPLICATION_CREDENTIALS="path/to/service/account"

样本输出：

​