I'm creating a service account through Deployment Manager, which I can add a role like roles/viewer
with this snippet:
(我正在通过Deployment Manager创建一个服务帐户,可以通过以下代码段添加一个角色,例如roles/viewer
:)
resources:
- type: gcp-types/iam-v1:projects.serviceAccounts
name: set-access
properties:
accountId: sa
displayName: sa
accessControl:
gcpIamPolicy:
bindings:
- role: roles/viewer
members:
- "serviceAccount:sa@{project}.iam.gserviceaccount.com"
To reproduce, copy the snippet above, put in a yaml file and run:
(要复制,请复制上面的代码段,放入yaml文件中并运行:)
gcloud deployment-manager deployments create --config file.yml name
If I try to change the role to roles/cloudkms.cryptoKeyDecrypter
, I got this error:
(如果我尝试将角色更改为role roles/cloudkms.cryptoKeyDecrypter
, roles/cloudkms.cryptoKeyDecrypter
收到此错误:)
ERROR: (gcloud.deployment-manager.deployments.create) Error in Operation [operation-1575205753577-598a42b63dfc0-0bf0754c-12be57fc]: errors:
- code: RESOURCE_ERROR
location: /deployments/sa/resources/set-access
message: '{
"ResourceType": "gcp-types/iam-v1:projects.serviceAccounts",
"ResourceErrorCode": "400",
"ResourceErrorMessage": {
"code": 400,
"message":"Role roles/cloudkms.cryptoKeyDecrypter is not supported for this resource.",
"status":"INVALID_ARGUMENT",
"statusMessage":"Bad Request",
"requestPath":"https: //iam.googleapis.com/v1/projects/{project}/serviceAccounts/sa@project.iam.gserviceaccount.com:setIamPolicy",
"httpMethod":"POST"}
}}'
ask by Ramon Medeiros translate from so 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…