問題描述
使用 GCP 令牌、terraform 和 vault 創建項目時出現權限錯誤 (Permisson error creating project with GCP token, terraform and vault)
我想用 terraform 創建一個 GCP 項目,使用 vault 來獲取令牌。我已經配置了 GCP 機密引擎,我要求 terraform 中的 vault 獲取令牌;但是當我運行 terraform 來創建項目時,我收到一條錯誤消息:
Error 403: Service accounts cannot create projects without a parent., forbidden. If you received a 403 error, make sure you have the `roles/resourcemanager.projectCreator` permission
│
│ with module.gcp‑project.google_project.project,
│ on .terraform/modules/gcp‑project/main.tf line 6, in resource "google_project" "project":
│ 6: resource "google_project" "project" {
我認為問題出在保險庫令牌的角色集綁定中,但我不知道我必須將哪個資源放入角色集中.
我嘗試使用 resourcemanager.projectCreator 角色;但它總是問我項目名稱。
我應該向所有組織授予權限嗎?因為如果我想創建新項目,如果我將一個存在的項目作為資源,我將無法創建另一個項目。
謝謝!!
參考解法
方法 1:
You must create a GCP Organization resource and ensure your Vault GCP roleset is created in a project that lives inside the org (e.g. an "admin" project).
When you create the project creator roleset using terraform you need to grant it a role that has resourcemanager.projects.create permission. You can create the binding against the whole org, or an individual folder within the org. For example:
resource "vault_gcp_secret_roleset" "default" {
backend = var.gcp_secret_backend
roleset = var.roleset_name
project = var.project
secret_type = var.secret_type
token_scopes = ["https://www.googleapis.com/auth/cloud‑platform"]
binding {
resource = "//cloudresourcemanager.googleapis.com/folders/${var.folder_id}"
roles = [
"roles/resourcemanager.projectCreator",
"roles/resourcemanager.projectMover",
"roles/resourcemanager.projectDeleter",
]
}
}
(by EMG、Morgan Peat)