本文介绍了setIAM 403禁止的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
resources:
- name: practice-service-account
type: iam.v1.serviceAccount
properties:
displayName: practice-service-account
projectId: {{ project }}
accountId: practice-service-account
- name: get-iam-policy
action: 'gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.getIamPolicy'
properties:
resource: resources-practice {# make this environment variable #}
- name: set-iam-policy
action: 'gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy'
properties:
resource: {{ project }}
policy: $(ref.get-iam-policy)
gcpIamPolicyPatch:
add:
- role: roles/viewer
members:
- user:[email protected]
- user:[email protected]
- user:[email protected]
为什么在尝试创建这些IAM资源时总是遇到以下错误?
Why am I always experiencing the error below when trying to create these IAM resources?
ERROR: (gcloud.deployment-manager.deployments.update) Error in Operation [operation-1544014242908-57c45d47a0760-6a2ec217-9ee53506]: errors:
- code: RESOURCE_ERROR
location: /deployments/infrastructure/resources/set-iam-policy
message: '{"ResourceType":"gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"The
caller does not have permission","status":"PERMISSION_DENIED","statusMessage":"Forbidden","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/resources-practice:setIamPolicy","httpMethod":"POST"}}'
推荐答案
部署管理器使用[PROJECT_NUMBER]@cloudservices.gserviceaccount.com服务帐户起作用.此错误表明该服务帐户无权更改该项目上的IAM策略.尝试授予服务帐户iam.roleAdmin角色项目(或组织中的iam.organizationRoleAdmin角色).
Deployment manager acts using the [PROJECT_NUMBER]@cloudservices.gserviceaccount.com service account. This error indicates that that service account doesn't have permission to change the IAM policy on that project. Try granting the service account the iam.roleAdmin role on the project (or iam.organizationRoleAdmin role on the organization).
这篇关于setIAM 403禁止的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!