我正在尝试向 GKE 集群添加数据库加密。我之前在集群上运行了
destroy
,现在我正在尝试将其重新组合在一起。
感觉应该创建一个服务帐户作为私有集群创建的一部分。
来自我的
terraform plan
我期待着;
# module.private_cluster.google_kms_crypto_key_iam_member.gke_database_encryption_key will be created
+ resource "google_kms_crypto_key_iam_member" "gke_database_encryption_key" {
+ crypto_key_id = "projects/my-project/locations/europe-west2/keyRings/prod-keyring/cryptoKeys/prod-gke-encryption-key"
+ etag = (known after apply)
+ id = (known after apply)
+ member = "serviceAccount:service-<project_number>@container-engine-robot.iam.gserviceaccount.com"
+ role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
}
但是应用这个告诉我 SA 不存在;
│ Error: Error applying IAM policy for KMS CryptoKey "projects/my-project/locations/europe-west2/keyRings/prod-keyring/cryptoKeys/prod-gke-encryption-key":
Error setting IAM policy for KMS CryptoKey "projects/my-project/locations/europe-west2/keyRings/prod-keyring/cryptoKeys/prod-gke-encryption-key": googleapi:
Error 400: Service account service-<project_number>@container-engine-robot.iam.gserviceaccount.com does not exist., badRequest
│
│ with module.private_cluster.google_kms_crypto_key_iam_member.gke_database_encryption_key,
│ on ../../../modules/private_cluster/kms.tf line 18, in resource "google_kms_crypto_key_iam_member" "gke_database_encryption_key":
│ 18: resource "google_kms_crypto_key_iam_member" "gke_database_encryption_key" {
在之前具有相同资源定义的项目中,我没有遇到此问题,因此我认为该 SA 应该作为集群创建的一部分进行设置。对于 KMS,资源定义为;
resource "google_kms_crypto_key" "gke_database_encryption_key" {
name = var.kms_gke_encryption_key
key_ring = google_kms_key_ring.kms_keyring.id
purpose = "ENCRYPT_DECRYPT"
# rotation_period = "0s"
lifecycle {
prevent_destroy = true
}
}
resource "google_kms_crypto_key_iam_member" "gke_database_encryption_key" {
crypto_key_id = google_kms_crypto_key.gke_database_encryption_key.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:service-${var.project_number}@container-engine-robot.iam.gserviceaccount.com"
}
事后是否可以创建此 SA,或者我最好建立一个新项目并重新开始?
可以恢复
servi[email protected]
默认的GKE服务代理,请查看以下文档[1]和[2]。
如果您删除默认的 GKE 服务代理,您可以按照取消删除服务帐号中的说明取消删除。
[1] https://cloud.google.com/kubernetes-engine/docs/how-to/service-accounts#gke-service-agents
[2] https://cloud.google.com/iam/docs/service-accounts-delete-undelete#undeleting