如何解决初始化扳手客户端缺少哪个权限?
试图在gke pod中创建扳手客户端,但是得到了:
File "/usr/local/lib/python3.7/site-packages/google/cloud/spanner_v1/database.py",line 519,in run_in_transaction
with SessionCheckout(self._pool) as session:
File "/usr/local/lib/python3.7/site-packages/google/cloud/spanner_v1/pool.py",line 536,in __enter__
self._session = self._pool.get(**self._kwargs)
File "/usr/local/lib/python3.7/site-packages/google/cloud/spanner_v1/pool.py",line 273,in get
session.create()
File "/usr/local/lib/python3.7/site-packages/google/cloud/spanner_v1/session.py",line 117,in create
session_pb = api.create_session(self._database.name,metadata=metadata,**kw)
File "/usr/local/lib/python3.7/site-packages/google/cloud/spanner_v1/gapic/spanner_client.py",line 307,in create_session
request,retry=retry,timeout=timeout,metadata=metadata
File "/usr/local/lib/python3.7/site-packages/google/api_core/gapic_v1/method.py",line 145,in __call__
return wrapped_func(*args,**kwargs)
File "/usr/local/lib/python3.7/site-packages/google/api_core/retry.py",line 286,in retry_wrapped_func
on_error=on_error,File "/usr/local/lib/python3.7/site-packages/google/api_core/retry.py",line 206,in retry_target
last_exc,File "<string>",line 3,in raise_from
google.api_core.exceptions.RetryError: Deadline of 3600.0s exceeded while calling functools.partial(<function _wrap_unary_errors.<locals>.error_remapped_callable at 0x7f8bff413ef0>,database: "projects/myproj-1501/instances/tfgen-spanid-2020585/databases/spanner-stage,metadata=[('google-cloud-resource-prefix','projects/myproj-1501/instances/tfgen-spanid-2020585/databases/spanner-stage'),('x-goog-request-params','database=projects/myproj-1501/instances/tfgen-spanid-2020585/databases/spanner-stage'),('x-goog-api-client','gl-python/3.7.9 grpc/1.32.0 gax/1.22.2 gapic/1.17.1 gccl/1.17.1')]),last exception: 503 Getting metadata from plugin failed with error: ("Failed to retrieve http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/spanner-db-sa@myproj-1501.iam.gserviceaccount.com/token from the Google Compute Enginemetadata service.
Status: 403 Response:\nb'Unable to generate access token; IAM returned 403 Forbidden: The caller does not have permission\\nThis error could be caused by a missing IAM policy binding on the target IAM service account.
\\nFor more information,refer to the Workload Identity documentation:\\n\\thttps://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#creating_a_relationship_between_ksas_and_gsas\\n\\n'",<google.auth.transport.requests._Response object at 0x7f8bfcb33810>)
有什么主意如何找出缺少的权限吗?哪个服务帐户需要此权限?
谢谢
解决方法
在this文章下,第2步说明了如何授予角色,并指向these角色之一。我怀疑您需要以下两个角色之一:
roles / spanner.admin
roles / spanner.databaseAdmin
此处列出的步骤太多,并且取决于帐户,但是第一篇文章中的步骤1向您展示了如何识别正确的服务帐户。请注意,GKE是GCE用户,因此服务帐户可能看起来就像是常规的“ Compute Engine”服务帐户。
,错误消息表明目标IAM服务帐户“ spanner-db-sa@myproj-1501.iam.gserviceaccount.com”上可能缺少IAM策略绑定。您可以遵循Workload Identity documentation吗?
此外,您需要授予您的服务帐户访问Cloud Spanner数据库的权限。您可以按照here的说明进行操作。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。