使用 GCP 工作负载身份,我无法通过 Github 操作中的 terraform 来配置 GKE 集群。
这是我的 GitHub 操作的工作流程文件:
name: Infrastructure provisions
jobs:
provision_gkes:
permissions:
contents: 'read'
id-token: 'write'
runs-on: 'ubuntu-latest'
steps:
- name: Checkout
uses: actions/checkout@v2
- id: auth
uses: google-github-actions/auth@v0
with:
workload_identity_provider: ${{ env.IDENTITY_PROVIDER }}
service_account: ${{ env.SERVICE_ACCOUNT }}
- name: Provision gke
working-directory: ./gke
run: |-
terraform init
terraform plan --var-file=terraform_$ENVIRONMENT.tfvars -out my_plan
terraform apply my_plan
Terraform main.tf
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "~> 3.43.0"
}
google-beta = {
source = "hashicorp/google-beta"
version = "~> 3.43.0"
}
}
}
provider "google" {
project = var.project
region = var.region
}
provider "google-beta" {
project = var.project
region = var.region
}
module "gke_cluster" {
name = var.cluster_name
project = var.project
location = var.location
network = var.network
// code goes on
...
}
resource "google_container_node_pool" "node_pool" {
provider = google-beta
name = "private-pool"
project = var.project
location = var.location
cluster = module.gke_cluster.name
...
// code goes on
}
module "gke_service_account" {
source = "./modules/gke-service-account"
name = var.cluster_service_account_name
project = var.project
description = var.cluster_service_account_description
}
GitHub 操作执行期间收到错误。
╷
│ Error: Attempted to load application default credentials since neither `credentials` nor `access_token` was set in the provider block. No credentials loaded. To use your gcloud credentials, run 'gcloud auth application-default login'. Original error: google: error getting credentials using GOOGLE_APPLICATION_CREDENTIALS environment variable: unknown credential type: "external_account"
│
│ with provider["registry.terraform.io/hashicorp/google"],
│ on main.tf line 28, in provider "google":
│ 28: provider "google" {
│
╵
但我可以通过 terraform 以类似的方式配置其他 GCP 组件。
这里 terraform init 工作正常,它能够检查 GCS 存储桶中的后端状态文件。这意味着它能够连接到该帐户。然而 terraform plan 似乎遇到了问题。
它应该隐式拥有 GCP 授权。
有什么建议吗?
您的 Google 提供商可能太旧了,直到 3.61 才支持工作负载身份联合令牌。