(Terraform, GCP) 错误 400: Role roles/run.invoker is not supported for this resource., badRequest

Question

在 GCP 上，我正在尝试将 "Service Account 2" 添加为 "Service Account 1" 的成员，其中 "Service Account 1" strong>Terraform 代码如下：

resource "google_service_account" "service_account_1" {
  display_name = "Service Account 1"
  account_id   = "service-account-1"
}

resource "google_service_account" "service_account_2" {
  display_name = "Service Account 2"
  account_id   = "service-account-2"
}

resource "google_service_account_iam_binding" "service_account_iam_binding" {
  service_account_id = google_service_account.service_account_1.name
  role               = "roles/run.invoker"

  members = [
    "serviceAccount:${google_service_account.service_account_2.email}" 
  ]

  depends_on = [
    google_service_account.service_account_1,
    google_service_account.service_account_2
  ]
}

但我在下面收到此错误：

为服务帐号应用 IAM 政策时出错 'projects/myproject-173831/serviceAccounts/service-account-1@myproject-173831.iam.gserviceaccount.com'： 为服务帐号设置 IAM 政策时出错 'projects/myproject-173831/serviceAccounts/service-account-1@myproject-173831.iam.gserviceaccount.com'： googleapi：错误 400：不支持角色角色/run.invoker 资源., badRequest

我的 Terraform 代码是否有任何错误？

Answer 1

服务帐号不支持“roles/run.invoker”。所以当然服务帐号“Service Account 1”不支持“roles/run.invoker”。只有 Cloud Run 支持 "roles/run.invoker"。

如果您确实想将“服务帐户2”添加为“服务帐户1”的成员，可以使用“roles/iam.serviceAccountUser " 或 "roles/iam.serviceAccountAdmin"。

“google_service_account_iam_binding” 与 “roles/iam.serviceAccountUser”：

resource "google_service_account_iam_binding" "service_account_iam_binding" {
  service_account_id = google_service_account.service_account_1.name
  role               = "roles/iam.serviceAccountUser" // Here

  members = [
    "serviceAccount:${google_service_account.service_account_2.email}" 
  ]

  depends_on = [
    google_service_account.service_account_1,
    google_service_account.service_account_2
  ]
}

“google_service_account_iam_binding” 与 “roles/iam.serviceAccountAdmin”：

resource "google_service_account_iam_binding" "service_account_iam_binding" {
  service_account_id = google_service_account.service_account_1.name
  role               = "roles/iam.serviceAccountAdmin" // Here

  members = [
    "serviceAccount:${google_service_account.service_account_2.email}" 
  ]

  depends_on = [
    google_service_account.service_account_1,
    google_service_account.service_account_2
  ]
}

此外，您可以将 "google_service_account_iam_member" 与 "roles/iam.serviceAccountUser" 或 "roles/iam.serviceAccountAdmin" 一起使用“google_service_account_iam_binding”。

“google_service_account_iam_member” 与 “roles/iam.serviceAccountUser”：

resource "google_service_account_iam_member" "service-account-iam_member" {
  service_account_id = google_service_account.service_account_1.name
  role               = "roles/iam.serviceAccountUser"
  member             = "serviceAccount:${google_service_account.service_account_2.email}"

  depends_on = [
    google_service_account.service_account_1,
    google_service_account.service_account_2
  ]
}

“google_service_account_iam_member” 与 “roles/iam.serviceAccountAdmin”：

resource "google_service_account_iam_member" "service-account-iam_member" {
  service_account_id = google_service_account.service_account_1.name
  role               = "roles/iam.serviceAccountAdmin"
  member             = "serviceAccount:${google_service_account.service_account_2.email}"

  depends_on = [
    google_service_account.service_account_1,
    google_service_account.service_account_2
  ]
}

最后，您可以将“Service Account 2”添加为“Service Account 1”的成员。