尝试将 cert-manager、CloudDNS 示例代码 转换为 terraform,但我无法使此代码片段与工作负载身份配合使用:
gcloud iam service-accounts add-iam-policy-binding \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:$PROJECT_ID.svc.id.goog[cert-manager/cert-manager]" \
dns01-solver@$PROJECT_ID.iam.gserviceaccount.com
我已经尝试过:
resource "google_service_account_iam_binding" "dns01_solver_binding" {
service_account_id = google_service_account.dns01_solver.name
role = "roles/iam.workloadIdentityUser"
members = [
"serviceAccount:${var.project_id}.svc.id.goog[cert-manager/cert-manager]/dns01-solver@${var.project_id}.iam.gserviceaccount.com",
]
}
和
resource "google_project_iam_member" "main" {
project = var.project_id
role = "roles/iam.workloadIdentityUser"
member = "serviceAccount:${var.project_id}.svc.id.goog[cert-manager/cert-manager]/dns01-solver@${var.project_id}.iam.gserviceaccount.com"
}
不断出现错误:
│ Error: Error applying IAM policy for service account 'projects/my-project.iam/serviceAccounts/[email protected]':
Error setting IAM policy for service account 'projects/my-project.iam/serviceAccounts/[email protected]':
googleapi: Error 400: Invalid service account (my-project.iam.svc.id.goog[cert-manager/cert-manager]/[email protected])., badRequest
│
│ with google_service_account_iam_binding.dns01_solver_binding,
│ on cert-manager.tf line 47, in resource "google_service_account_iam_binding" "dns01_solver_binding":
│ 47: resource "google_service_account_iam_binding" "dns01_solver_binding" {
所需的服务帐户也存在于 cert-manager kubernetes 命名空间中:
我认为该错误是由于该成员是
"serviceAccount:${var.project_id}.svc.id.goog[cert-manager/cert-manager]/dns01-solver@${var.project_id}.iam.gserviceaccount.com"
而引起的,而它应该只是"serviceAccount:$PROJECT_ID.svc.id.goog[cert-manager/cert-manager]"
。文档这里了解更多信息。如果您想要权威或非权威类型的策略,也值得考虑,文档中也对此进行了解释。
resource "google_service_account_iam_binding" "dns01_solver_binding" {
service_account_id = google_service_account.dns01_solver.name
role = "roles/iam.workloadIdentityUser"
members = [
"serviceAccount:${var.project_id}.svc.id.goog[cert-manager/cert-manager]",
]
}