GKE 项目中缺少服务帐户

问题描述 投票:0回答:1

我正在尝试向 GKE 集群添加数据库加密。我之前在集群上运行了 

destroy
,现在我正在尝试将其重新组合在一起。

感觉应该创建一个服务帐户作为私有集群创建的一部分。

来自我的

terraform plan
我期待着;

  # module.private_cluster.google_kms_crypto_key_iam_member.gke_database_encryption_key will be created
  + resource "google_kms_crypto_key_iam_member" "gke_database_encryption_key" {
      + crypto_key_id = "projects/my-project/locations/europe-west2/keyRings/prod-keyring/cryptoKeys/prod-gke-encryption-key"
      + etag          = (known after apply)
      + id            = (known after apply)
      + member        = "serviceAccount:service-<project_number>@container-engine-robot.iam.gserviceaccount.com"
      + role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
    }

但是应用这个告诉我 SA 不存在;

│ Error: Error applying IAM policy for KMS CryptoKey "projects/my-project/locations/europe-west2/keyRings/prod-keyring/cryptoKeys/prod-gke-encryption-key": 
  Error setting IAM policy for KMS CryptoKey "projects/my-project/locations/europe-west2/keyRings/prod-keyring/cryptoKeys/prod-gke-encryption-key": googleapi: 
  Error 400: Service account service-<project_number>@container-engine-robot.iam.gserviceaccount.com does not exist., badRequest
│ 
│   with module.private_cluster.google_kms_crypto_key_iam_member.gke_database_encryption_key,
│   on ../../../modules/private_cluster/kms.tf line 18, in resource "google_kms_crypto_key_iam_member" "gke_database_encryption_key":
│   18: resource "google_kms_crypto_key_iam_member" "gke_database_encryption_key" {

在之前具有相同资源定义的项目中,我没有遇到此问题,因此我认为该 SA 应该作为集群创建的一部分进行设置。对于 KMS,资源定义为;

resource "google_kms_crypto_key" "gke_database_encryption_key" {
  name     = var.kms_gke_encryption_key
  key_ring = google_kms_key_ring.kms_keyring.id
  purpose  = "ENCRYPT_DECRYPT"
  # rotation_period = "0s"

  lifecycle {
    prevent_destroy = true
  }
}

resource "google_kms_crypto_key_iam_member" "gke_database_encryption_key" {
  crypto_key_id = google_kms_crypto_key.gke_database_encryption_key.id
  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
  member        = "serviceAccount:service-${var.project_number}@container-engine-robot.iam.gserviceaccount.com"
}

事后是否可以创建此 SA,或者我最好建立一个新项目并重新开始?

terraform google-kubernetes-engine terraform-provider-gcp
1个回答
0
投票

可以恢复

servi[email protected]
默认的GKE服务代理,请查看以下文档[1]和[2]。

如果您删除默认的 GKE 服务代理,您可以按照取消删除服务帐号中的说明取消删除。

[1] https://cloud.google.com/kubernetes-engine/docs/how-to/service-accounts#gke-service-agents

[2] https://cloud.google.com/iam/docs/service-accounts-delete-undelete#undeleting

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.