我正在通过Deployment Manager创建服务帐户,可以通过以下代码段添加类似roles/viewer
的角色:
resources:
- type: gcp-types/iam-v1:projects.serviceAccounts
name: set-access
properties:
accountId: sa
displayName: sa
accessControl:
gcpIamPolicy:
bindings:
- role: roles/viewer
members:
- "serviceAccount:sa@{project}.iam.gserviceaccount.com"
要复制,请复制上面的代码段,放入yaml文件并运行:
gcloud deployment-manager deployments create --config file.yml name
如果我尝试将角色更改为roles/cloudkms.cryptoKeyDecrypter
,则会出现此错误:
ERROR: (gcloud.deployment-manager.deployments.create) Error in Operation [operation-1575205753577-598a42b63dfc0-0bf0754c-12be57fc]: errors:
- code: RESOURCE_ERROR
location: /deployments/sa/resources/set-access
message: '{
"ResourceType": "gcp-types/iam-v1:projects.serviceAccounts",
"ResourceErrorCode": "400",
"ResourceErrorMessage": {
"code": 400,
"message":"Role roles/cloudkms.cryptoKeyDecrypter is not supported for this resource.",
"status":"INVALID_ARGUMENT",
"statusMessage":"Bad Request",
"requestPath":"https: //iam.googleapis.com/v1/projects/{project}/serviceAccounts/[email protected]:setIamPolicy",
"httpMethod":"POST"}
}}'
我仍然不知道为什么不能使用上面的代码片段添加roles/cloudkms.cryptoKeyDecrypter
,但是我找到了另一种方法来创建具有此角色的服务帐户:
resources:
- name: get-iam-policy
action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.getIamPolicy
properties:
resource: YOUR_PROJECT_NAME
- name: add-iam-policy
action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy
properties:
resource: YOUR_PROJECT_NAME
policy: $(ref.get-iam-policy)
gcpIamPolicyPatch:
add:
- role: roles/dataflow.serviceAgent
members:
- serviceAccount:deploymentmanager-samples@cloud-dm-arcus-oneshot.iam.gserviceaccount.com
- name: remove-iam-policy
action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy
properties:
resource: YOUR_PROJECT_NAME
policy: $(ref.add-iam-policy)
gcpIamPolicyPatch:
remove:
- role: roles/dataflow.serviceAgent
members:
- serviceAccount:deploymentmanager-samples@cloud-dm-arcus-oneshot.iam.gserviceaccount.com