【发布时间】:2020-01-17 02:07:45
【问题描述】:
我有:
- 服务帐号
- 使用该服务的 GCE 实例 帐号
- 上传到 GCR 的容器图像
我似乎无法授予对该实例的只读 GCR 访问权限。所有资源都在同一个项目中。我尝试将storage.admin 和storage.objectViewer 角色授予服务帐户,并且在每种情况下访问容器注册表都会导致https://eu.gcr.io/v2/<project>/<image>/manifests/latest: 401 Unauthorized。
我读过的所有文档都说我需要在该区域的 GCR 存储桶上授予 storage-rw 范围和 storage.objectViewer,我拥有所有这些。
我正在使用 Terraform 配置所有这些。您如何使用 Terraform 配置对服务帐户的 GCR 访问?
这是我的代码:
locals {
gcr-region = "eu"
}
resource "google_service_account" "service_account" {
account_id = "k3s-master"
display_name = "k3s-master"
}
resource "google_project_iam_member" "project" {
role = "roles/logging.logWriter"
member = "serviceAccount:${google_service_account.service_account.email}"
}
resource "google_compute_instance" "instance" {
name = "${var.service_name}"
machine_type = "f1-micro"
allow_stopping_for_update = true
service_account {
email = "${google_service_account.service_account.email}"
scopes = [
"storage-rw",
"https://www.googleapis.com/auth/cloud-platform",
"https://www.googleapis.com/auth/compute",
]
}
boot_disk {
initialize_params {
image = "debian-9"
}
}
network_interface {
network = "${google_compute_network.k3s-network.self_link}"
access_config { }
}
}
resource "google_storage_bucket_iam_binding" "eu-binding" {
bucket = "eu.artifacts.${var.project}.appspot.com"
role = "roles/storage.objectViewer"
members = [
"serviceAccount:${google_service_account.service_account.email}",
]
}
resource "google_storage_bucket_iam_binding" "binding" {
bucket = "${var.project}.appspot.com"
role = "roles/storage.objectViewer"
members = [
"serviceAccount:${google_service_account.service_account.email}",
]
}
【问题讨论】:
标签: google-compute-engine terraform google-container-registry terraform-provider-gcp