本文介绍了App Engine部署:权限错误,正在提取应用程序的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我们正在使用服务帐户通过Travis将应用程序部署到App Engine。

We are using a service account to deploy our app to App Engine using Travis.

在每个合并的PR中,Travis都会从GitHub存储库中提取代码,并提取一个,其中包含Google Cloud SDK并执行 gcloud应用程序deploy 命令。我们使用服务帐户来执行具有项目所有者角色的部署。

On every merged PR, Travis pulls the code from our GitHub repository, and pulls a Docker image which contains Google Cloud SDK and executes the gcloud app deploy command. We use a Service Account to perform the deployment with "Project Owner" role.

在我向项目添加新服务以自动生成SSL证书之前,一切工作正常和续订,以及一个 dispatch.yaml 文件,以路由从Let's Encrypt传入的流量进行域验证。我需要添加更多权限,以允许更新用于自定义域的SSL证书。我删除了当前的服务帐户,并使用新的私钥创建了一个新帐户。我创建了一个新角色,除了以前的权限(所有 appengine。* 权限)之外,还具有更新和查看S​​SL证书所需的权限。我将新角色和项目所有者角色分配给了新帐户。这些更改之后,执行 deploy 命令时,部署失败并显示以下错误:

Everything used to work fine until I added a new service to the project which automates SSL certificate generation and renewal, along with a dispatch.yaml file to route traffic incoming from Let's Encrypt for domain verification. I needed to add more permissions to allow updating the SSL certificates we use for our custom domain. I removed the current service account, and created a new one with a new private key. I created a new role with the required permissions to update and view SSL certificates in addition to the previous permissions (all appengine.* permissions). I assigned the new role and the Project Owner role to the new account. After these changes, the deployment fails with the following error when executing the deploy command:

Permissions error fetching application [apps/hollowverse-c9cad]. Please make sure you are using the correct project ID and that you have permission to view applications on the project.

我在本地计算机上使用了相同的服务帐户,并将日志记录级别设置为debug。我收到此错误:

I used the same service account on my local machine with logging level set to debug. I got this error:

DEBUG: HttpError accessing <https://appengine.googleapis.com/v1/apps/hollowverse-c9cad?alt=json>: response: <{'status': '403', 'content-length': '335', 'x-xss-protection': '1; mode=block', 'x-content-type-options': 'nosniff', 'transfer-encoding': 'chunked', 'vary': 'Origin, X-Origin, Referer', 'server': 'ESF', '-content-encoding': 'gzip', 'cache-control': 'private', 'date': 'Wed, 02 Aug 2017 14:33:50 GMT', 'x-frame-options': 'SAMEORIGIN', 'alt-svc': 'quic=":443"; ma=2592000; v="39,38,37,36,35"', 'content-type': 'application/json; charset=UTF-8'}>, content <{
  "error": {
    "code": 403,
    "message": "Operation not allowed",
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ResourceInfo",
        "resourceType": "gae.api",
        "description": "The \"appengine.applications.get\" permission is required."
      }
    ]
  }
}
>
DEBUG: (gcloud.beta.app.deploy) Permissions error fetching application [apps/hollowverse-c9cad]. Please make sure you are using the correct project ID and that you have permission to view applications on the project.

说明说 appengine.applications.get 是执行部署所必需的。查看授予我们用于部署的Travis帐户分配的角色的权限,显然可以授予 appengine.applications.get

The description says that appengine.applications.get is required to perform the deployment. Looking at the permissions granted to the role assigned to the Travis account we use to deploy, appengine.applications.get is clearly granted:

我为该帐户分配了每个可能的App Engine和Project角色,但是部署仍然失败,并出现相同的错误。但是,使用为GCP上的每个新项目自动创建的默认服务帐户似乎可以正常工作。

I assigned every possible App Engine and Project role to the account, but deployment still fails with the same error. However, using the default service account, which is automatically created for every new project on GCP, seems to be working.

推荐答案

它出了错。新帐户的ID与前一个帐户相同。尽管我找不到任何地方记录此行为,但是看起来,一旦将ID用于服务帐户,就不能再将其用于新帐户,即使删除了先前的帐户也是如此。

This is where it went wrong. The new account had the same ID as the previous one. Although I could not find this behavior documented anywhere, it looks like that once an ID is used for a service account, it cannot be used again for a new account, even if the previous one is removed.

我们创建了一个具有新ID( travis2 @ hollowverse-c9cad.iam的新帐户.gserviceaccount.com ),而不是 [email protected] ),此问题现已解决。

We created a new account with a new ID (travis2@hollowverse-c9cad.iam.gserviceaccount.com) instead of [email protected]) and the issue is now resolved.

这篇关于App Engine部署:权限错误,正在提取应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-13 02:03