尝试使用Cloud Build将DAG上载到Composer存储桶时出现权限错误

问题描述 投票:-1回答:1

我正在使用Cloud Build将DAG上传到Composer环境的存储桶中的data文件夹,使用我的cloudbuild.yaml中的以下步骤:

steps:
- name: gcr.io/cloud-builders/gcloud
  args: ["composer", "environments", "storage", "data", "import", "--environment", "test-environment", "--location", "europe-west1",
         "--source", "test_dag.py", "--destination", "test"]

但是,在运行gcloud builds submit .时,Cloud Build在此步骤失败,并出现以下权限错误:

Step #0: ERROR: (gcloud.composer.environments.storage.data.import)
PERMISSION_DENIED: The caller does not have permission
Finished Step #0
ERROR
ERROR: build step 0 "gcr.io/cloud-builders/gcloud" failed:
exit status 1
----------------------------------------------------------------------------------------------------------------------------------------------------------------------

ERROR: (gcloud.builds.submit) build f9732670-8e98-475a-96f9eb7d509cf6ac 
completed with status "FAILURE"

我假设“调用者”是项目的默认Cloud Build服务帐户,因此我尝试为该服务帐户提供相关存储桶的“Cloud Composer环境和存储对象管理员”角色,但这并未解决问题。在本地构建(cloud-build-local --dryrun=false .)中运行导入命令工作正常。

我该如何摆脱这个错误?我是否向错误的服务帐户提供了错误的权限?

google-cloud-platform google-cloud-composer google-cloud-build google-cloud-iam
1个回答
0
投票

基于Cloud Composer access control doc,您需要在与预期的Composer环境相同的项目中将roles/ composer.environmentAndStorageObjectViewer授予Cloud Build服务帐户(例如,{project-number}@cloudbuild.gserviceaccount.com)。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.