当我尝试使用以下命令在云上部署我的 docker 镜像时:
gcloud run deploy --image $MULTI_REGION/$PROJECT/$IMAGE --memory $MEMORY --region $REGION --env-vars-file .env.yaml
我收到错误消息:
Deploying container to Cloud Run service [image-name] in project [wagon-bootcamp-352706] region [europe-west1]
X Deploying new service...
. Creating Revision...
. Routing traffic...
. Setting IAM Policy...
Deployment failed
ERROR: (gcloud.run.deploy) User [<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="f094959d919e9795de9c9f859983b0989f849d91999cde9682" rel="noreferrer noopener nofollow">[email protected]</a>] does not have permission to access namespaces instance [wagon-bootcamp-352706] (or it may not exist): Permission 'iam.serviceaccounts.actAs' denied on service account 9428020536<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="35030c18565a58454041507551504350595a4550471b52465047435c56505456565a405b411b565a58" rel="noreferrer noopener nofollow">[email protected]</a> (or it may not exist).
为了检查项目的权限,我使用 gcloud items get-iam-policy wagon-bootcamp-352706
:
bindings:
- members:
- serviceAccount:service-942802053669@gcp-sa-artifactregistry.iam.gserviceaccount.com
role: roles/artifactregistry.serviceAgent
- members:
- serviceAccount:<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="1e6d7b6c68777d7b33272a2c262e2c2e2b2d2828275e7d71706a7f77707b6c6c7b79776d6a6c6730777f7330796d7b6c68777d7b7f7d7d716b706a307d7173" rel="noreferrer noopener nofollow">[email protected]</a>
role: roles/containerregistry.ServiceAgent
- members:
- user:<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="2642434b47484143084a49534f55664e49524b474f4a084054" rel="noreferrer noopener nofollow">[email protected]</a>
role: roles/iam.serviceAccountUser
- members:
- serviceAccount:<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="82f1e7f0f4ebe1e7afbbb6b0bab2b0b2b7b1b4b4bbc2e1eeedf7e6afefeeace5edede5eee7ace1edefacebe3eface5f1e7f0f4ebe1e7e3e1e1edf7ecf6ace1edef" rel="noreferrer noopener nofollow">[email protected]</a>
role: roles/ml.serviceAgent
- members:
- user:<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="e4808189858a8381ca888b918d97a48c8b9089858d88ca8296" rel="noreferrer noopener nofollow">[email protected]</a>
role: roles/owner
- members:
- serviceAccount:<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="05766077736c6660283c31373d353735303633333c45626675287664287570677670672b6c64682b62766077736c66606466666a706b712b666a68" rel="noreferrer noopener nofollow">[email protected]</a>
role: roles/pubsub.serviceAgent
- members:
- serviceAccount:service-942802053669@serverless-robot-prod.iam.gserviceaccount.com
role: roles/run.serviceAgent
- members:
- user:<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="ddb9b8b0bcb3bab8f3b1b2a8b4ae9db5b2a9b0bcb4b1f3bbaf" rel="noreferrer noopener nofollow">[email protected]</a>
role: roles/storage.admin
- members:
- user:<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="7713121a16191012591b18021e04371f18031a161e1b591105" rel="noreferrer noopener nofollow">[email protected]</a>
role: roles/storage.objectAdmin
- members:
- user:<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="7e1a1b131f10191b5012110b170d3e16110a131f171250180c" rel="noreferrer noopener nofollow">[email protected]</a>
role: roles/storage.objectCreator
我还检查了项目“wagon-bootcamp-352706”是一个不错的项目。
我还在容器注册表中检查了我的图像“image-name”已正确推送: 图像名称 eu.gcr.io 私有(private)
结论是,权限应该是有效的,之前的推送没有问题,项目名称也没有问题。唯一不清楚的是错误消息中提到的“帐户 [email protected]”,它不属于我,我不知道它是什么。有人知道这个问题吗?提前致谢。
最诚挚的问候,
路易斯·德曼热
最佳答案
问题在于服务帐户 <a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="340d00060c040604010702020d19575b59444140517450514251585b4451461a53475146425d57515557575b415a401a575b59" rel="noreferrer noopener nofollow">[email protected]</a>
不存在,因为 Compute Engine API 尚未启用(可能)或者您已将其删除。
您有两个选择:
- 通过访问例如 Compute Engine section 来启用 Compute Engine API .
- 如果您删除了 Compute Engine 默认 SA,则可以 recover it (如果最多 30 天前被删除)或使用 another Service Account可以与 Cloud Run 一起使用。
关于google-cloud-platform - 在云运行上部署时,服务帐户的权限 'iam.serviceaccounts.actAs' 被拒绝,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/73325475/