我正在竭尽全力地尝试使用特定的 SA(而不是默认的 Cloud Build SA)从 Cloud Build 部署 Dataflow 管道,但到目前为止没有成功。
我遵循了这个过程-https://cloud.google.com/build/docs/securing-builds/configure-user-specified-service-accounts
密钥具有以下授予的角色(比 Doc 推荐的更多)
错误:
apitools.base.py.exceptions.HttpForbiddenError: HttpError accessing <https://dataflow.googleapis.com/v1b3/projects/my-prj/locations/europe-west1/jobs?alt=json>: response: <{'vary': 'Origin, X-Origin, Referer', 'content-type': 'application/json; charset=UTF-8', 'date': 'Tue, 18 Apr 2023 14:03:30 GMT', 'server': 'ESF', 'cache-control': 'private', 'x-xss-protection': '0', 'x-frame-options': 'SAMEORIGIN', 'x-content-type-options': 'nosniff', 'transfer-encoding': 'chunked', 'status': '403', 'content-length': '812', '-content-encoding': 'gzip'}>, content <{
"error": {
"code": 403,
"message": "(3b12042024f17c98): Current user cannot act as service account [email protected]. Please grant your user account one of [Owner, Editor, Service Account Actor] roles, or any other role that includes the iam.serviceAccounts.actAs permission. See https://cloud.google.com/iam/docs/service-accounts-actas for additional details. Causes: (3b12042024f17239): Current user cannot act as service account [email protected]. Please grant your user account one of [Owner, Editor, Service Account Actor] roles, or any other role that includes the iam.serviceAccounts.actAs permission. See https://cloud.google.com/iam/docs/service-accounts-actas for additional details.",
"status": "PERMISSION_DENIED"
}
}
默认情况下,如果您没有在启动
DataflowCompute在启动
DataflowJava 和 Maven 示例:
mvn compile exec:java \
-Dexec.mainClass=com.package.MainClass \
-Dexec.args=" \
--project=project \
--runner=DataflowRunner \
--serviceAccount=your-sa-email
"
....
Python 示例:
python -m folder.main \
--project=project \
--runner=DataflowRunner \
--region=europe-west1 \
--setup_file=./setup.py \
--temp_location=gs://mazlum_dev/dataflow/temp \
--service_account_email=your-sa-email
....
此用户指定的服务帐户需要具有启动作业的预期角色以及允许充当的角色: