工作流服务帐户不接受有效的服务帐户 ID

问题描述

我正在尝试使用 https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/workflows_workflow terraform 资源部署工作流,但失败并出现错误

Error: Error creating Workflow: googleapi: Error 400: request contains errors
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.BadRequest","fieldViolations": [
      {
        "description": "The referenced service account is not user-managed,please verify the correctness of the service account name","field": "workflow.service_account"
      }
    ]
  }
]

我可以通过运行 terraform plan 看到这是我的工作流程的定义:

  + resource "google_workflows_workflow" "my_first_workflow" {
      + create_time     = (kNown after apply)
      + description     = "Magic"
      + id              = (kNown after apply)
      + name            = "myworkflow"
      + name_prefix     = (kNown after apply)
      + project         = "myproject"
      + region          = "europe-west4"
      + revision_id     = (kNown after apply)
      + service_account = "projects/myproject/serviceAccounts/service-account"
      + source_contents = <<-EOT

              - postCallBigqueryStoredProcedure:
                  call: http.post
                  args:
                      url: https://bigquery.googleapis.com/bigquery/v2/projects/myproject/jobs
                      body: {
                                "configuration": {
                                    "query": {
                                    "query": "call mydataset.mystoredprocedure()"
                                    }
                                }
                            }
        EOT
      + state           = (kNown after apply)
      + update_time     = (kNown after apply)
    }

错误消息抱怨服务帐户,但我确定此处命名的服务帐户:projects/myproject/serviceAccounts/service-account 有效且存在,因此我一无所知为什么我收到这个错误。谷歌搜索错误消息没有发现任何有用的东西。

有人知道可能是什么问题吗?

解决方法

您提到服务帐户有效并且存在。当您引用它时,您是否包括完整的帐户名称,包括“@”之后的详细信息,即。 7**********-compute@developer.gserviceaccount.com

我可以通过使用不正确的名称或没有完整电子邮件地址的服务帐户名称来复制这种行为。

您必须使用服务帐户的完整电子邮件地址。这是正确格式的示例。我目前正在使用 Terraform v0.14.7:

service_account = "projects/project_id/serviceAccounts/7**********-compute@developer.gserviceaccount.com"