【问题标题】:which permission is missing to initialize spanner client?初始化扳手客户端缺少哪个权限?
【发布时间】:2020-10-05 16:06:03
【问题描述】:

尝试在 gke pods 中创建 spanner 客户端,但得到:

File "/usr/local/lib/python3.7/site-packages/google/cloud/spanner_v1/database.py", line 519, in run_in_transaction
     with SessionCheckout(self._pool) as session:
   File "/usr/local/lib/python3.7/site-packages/google/cloud/spanner_v1/pool.py", line 536, in __enter__
     self._session = self._pool.get(**self._kwargs)
   File "/usr/local/lib/python3.7/site-packages/google/cloud/spanner_v1/pool.py", line 273, in get
     session.create()
   File "/usr/local/lib/python3.7/site-packages/google/cloud/spanner_v1/session.py", line 117, in create
     session_pb = api.create_session(self._database.name, metadata=metadata, **kw)
   File "/usr/local/lib/python3.7/site-packages/google/cloud/spanner_v1/gapic/spanner_client.py", line 307, in create_session
     request, retry=retry, timeout=timeout, metadata=metadata
   File "/usr/local/lib/python3.7/site-packages/google/api_core/gapic_v1/method.py", line 145, in __call__
     return wrapped_func(*args, **kwargs)
   File "/usr/local/lib/python3.7/site-packages/google/api_core/retry.py", line 286, in retry_wrapped_func
     on_error=on_error,
   File "/usr/local/lib/python3.7/site-packages/google/api_core/retry.py", line 206, in retry_target
     last_exc,
   File "<string>", line 3, in raise_from

google.api_core.exceptions.RetryError: Deadline of 3600.0s exceeded while calling functools.partial(<function _wrap_unary_errors.<locals>.error_remapped_callable at 0x7f8bff413ef0>,
database: "projects/myproj-1501/instances/tfgen-spanid-2020585/databases/spanner-stage,
metadata=[('google-cloud-resource-prefix', 'projects/myproj-1501/instances/tfgen-spanid-2020585/databases/spanner-stage'),
('x-goog-request-params',
'database=projects/myproj-1501/instances/tfgen-spanid-2020585/databases/spanner-stage'),
 ('x-goog-api-client', 'gl-python/3.7.9 grpc/1.32.0 gax/1.22.2 gapic/1.17.1 gccl/1.17.1')]),
 last exception: 503 Getting metadata from plugin failed with error: ("Failed to retrieve http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/spanner-db-sa@myproj-1501.iam.gserviceaccount.com/token from the Google Compute Enginemetadata service.
  Status: 403 Response:\nb'Unable to generate access token; IAM returned 403 Forbidden: The caller does not have permission\\nThis error could be caused by a missing IAM policy binding on the target IAM service account.
  \\nFor more information, refer to the Workload Identity documentation:\\n\\thttps://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#creating_a_relationship_between_ksas_and_gsas\\n\\n'", <google.auth.transport.requests._Response object at 0x7f8bfcb33810>)

知道如何找出缺少哪个权限吗?哪个服务帐号需要此权限?

谢谢

【问题讨论】:

    标签: google-compute-engine google-kubernetes-engine gcloud google-cloud-spanner


    【解决方案1】:

    this 文章下,第2 步说明如何授予角色并指向these 角色之一。我怀疑您需要以下两个角色之一:

    角色/spanner.admin

    roles/spanner.databaseAdmin

    此处列出的步骤太多,并且取决于帐户,但第一篇文章中的第 1 步向您展示了如何识别正确的服务帐户。请注意,GKE 使用 GCE,因此服务帐号可能只是看起来像普通的“计算引擎”服务帐号。

    【讨论】:

      【解决方案2】:

      错误消息表明目标 IAM 服务账户“spanner-db-sa@myproj-1501.iam.gserviceaccount.com”上可能缺少 IAM 策略绑定。可以关注Workload Identity documentation吗?

      此外,您需要授予服务帐号访问 Cloud Spanner 数据库的权限。您可以按照here的说明进行操作。

      【讨论】:

        猜你喜欢
        • 2019-04-27
        • 2021-06-29
        • 1970-01-01
        • 2021-04-22
        • 1970-01-01
        • 2019-05-05
        • 1970-01-01
        • 2012-10-31
        • 1970-01-01
        相关资源
        最近更新 更多