GCP project creation via deploymentmanager

て烟熏妆下的殇ゞ 提交于 2020-01-24 19:20:06

问题


So im trying to create a project with google cloud deployment manager, Ive structured the setup roughly as below:

# Structure
Org -> Folder1 -> Seed-Project(Location where I am running deployment manager from)

Organization:
  IAM:
    -> {Seed-Project-Number}@cloudservices.gserviceaccount.com:
        - Compute Network Admin
        - Compute Shared VPC Admin
        - Organisation Viewer
        - Project Creator

# DeploymentManager Resource:
type    cloudresourcemanager.v1.project
name    MyNewProject
parent  
  id: '{folder1-id}'
  type: folder
projectId: MyNewProject

The desired result is that MyNewProject should be created under Folder1. However; It appears as if the deployment manager service account does not have sufficent permissions:

$ CLOUDSDK_CORE_PROJECT=Seed-Project gcloud deployment-manager deployments \
  create MyNewDeployment \
  --config config.yaml \
  --verbosity=debug

Error message:

- code: RESOURCE_ERROR
  location: /deployments/MyNewDeployment/resources/MyNewProject
  message: '{"ResourceType":"cloudresourcemanager.v1.project",
             "ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"The
    caller does not have permission","status":"PERMISSION_DENIED","statusMessage":"Forbidden","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/MyNewProject","httpMethod":"GET"}}'

I've done some digging, and it appears to be calling the resourcemanager.projects.get method; The 'Compute Shared VPC Admin (roles/compute.xpnAdmin)' role should provide this permission as documented here: https://cloud.google.com/iam/docs/understanding-roles

Except that doesn't seem to be the case, whats going on ?

Edit

Id like to add some additional information gathered from debugging efforts: These are the API requests from the deployment manager, (from the seed project).

You can see that the caller is an anonymous service account, this isn't what id expect to see. (Id expect to see {Seed-Project-Number}@cloudservices.gserviceaccount.com as the calling account here)

Edit-2

config.yaml

imports:
  - path: composite_types/project/project.py
    name: project.py

resources:
  - name: MyNewProject
    type: project.py
    properties:
      parent:
        type: folder
        id: "{folder1-id}"
      billingAccountId: billingAccounts/REDACTED
      activateApis:
        - compute.googleapis.com
        - deploymentmanager.googleapis.com
        - pubsub.googleapis.com
      serviceAccounts: []

composite_types/project/* is an exact copy of the templates found here:

https://github.com/GoogleCloudPlatform/deploymentmanager-samples/tree/master/community/cloud-foundation/templates/project


回答1:


The key thing is that this is a GET operation, not an attempt to create the project. This is to verify global uniqueness of the project-id requested, and if not unique, PERMISSION_DENIED is thrown.

Lousy error message, lots of wasted developer hours !



来源:https://stackoverflow.com/questions/55355848/gcp-project-creation-via-deploymentmanager

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!