问题描述

我已经创建了一个服务帐户，并添加了一个具有所有者角色的 JSON 密钥，然后从Chrome下载了。尝试使用 Terraform apply 创建Google集群，但出现此错误： 2020/09/26 01:46:14 [ERROR]评估：* terraform.EvalApplyPost，错误：googleapi：错误403：必需的 container.clusters.create projects / gitops-webinar的权限被禁止

I've already created a service account and added a JSON key with the owner role then downloaded from Chrome. Trying to create a Google cluster with Terraform apply, but getting this error: 2020/09/26 01:46:14 [ERROR] eval: *terraform.EvalApplyPost, err: googleapi: Error 403: Required "container.clusters.create" permission(s) for "projects/gitops-webinar"., forbidden

扩展日志：

Terraform main.tf 文件

Terraform main.tf file

provider "google" {
 credentials = file("~/gitops-project-290611-01b6aabd6093.json")
 project     = "gitops-webinar"
 region      = "us-central1-a"
}

$ ls -la gitops-project-290611-01b6aabd6093.json

$ ls -la gitops-project-290611-01b6aabd6093.json

-rw-r--r--@ 1 organic  staff  2346 Sep 25 14:56 gitops-project-290611-01b6aabd6093.json

$ gcloud projects get-iam-policy gitops-project-290611 | pbcopy

$ gcloud projects get-iam-policy gitops-project-290611 | pbcopy

bindings:
- members:
  - deleted:serviceAccount:[email protected]?uid=112358266788784007511
  - deleted:serviceAccount:[email protected]?uid=113184308230946951276
  role: roles/compute.admin
- members:
  - serviceAccount:[email protected]
  role: roles/compute.instanceAdmin
- members:
  - serviceAccount:[email protected]
  role: roles/compute.serviceAgent
- members:
  - deleted:serviceAccount:[email protected]?uid=112358266788784007511
  - deleted:serviceAccount:[email protected]?uid=113184308230946951276
  - serviceAccount:[email protected]
  role: roles/container.admin
- members:
  - deleted:serviceAccount:[email protected]?uid=113184308230946951276
  role: roles/container.clusterAdmin
- members:
  - serviceAccount:service-782490657309@container-engine-robot.iam.gserviceaccount.com
  role: roles/container.serviceAgent
- members:
  - serviceAccount:[email protected]
  role: roles/containeranalysis.ServiceAgent
- members:
  - serviceAccount:[email protected]
  role: roles/containeranalysis.admin
- members:
  - serviceAccount:[email protected]
  role: roles/containerregistry.ServiceAgent
- members:
  - serviceAccount:[email protected]
  - serviceAccount:[email protected]
  role: roles/editor
- members:
  - deleted:serviceAccount:[email protected]?uid=112358266788784007511
  - serviceAccount:[email protected]
  role: roles/iam.serviceAccountUser
- members:
  - deleted:serviceAccount:[email protected]?uid=112358266788784007511
  - serviceAccount:[email protected]
  - deleted:serviceAccount:[email protected]?uid=115339463706838203610
  - user:[email protected]
  role: roles/owner
- members:
  - serviceAccount:[email protected]
  role: roles/redis.serviceAgent
- members:
  - deleted:serviceAccount:[email protected]?uid=113184308230946951276
  role: roles/resourcemanager.organizationAdmin
- members:
  - deleted:serviceAccount:[email protected]?uid=112358266788784007511
  role: roles/resourcemanager.projectIamAdmin
- members:
  - serviceAccount:[email protected]
  role: roles/secretmanager.admin
- members:
  - deleted:serviceAccount:[email protected]?uid=113184308230946951276
  role: roles/storage.admin
etag: BwWwOdndDu0=
version: 1

推荐答案

我认为我找到了问题。您使用项目名称而不是项目ID。试试这个

I think I found the issue. You use the project name and not the project ID. Try this

provider "google" {
 credentials = file("~/gitops-project-290611-01b6aabd6093.json")
 project     = "gitops-project-290611"
 region      = "us-central1-a"
}

您没有在 gitops网络研讨会 project_id

You haven't access on the gitops-webinar project_id