问题描述
试图在gke pod中创建扳手客户端,但是得到了:
File "/usr/local/lib/python3.7/site-packages/google/cloud/spanner_v1/database.py",line 519,in run_in_transaction
with SessionCheckout(self._pool) as session:
File "/usr/local/lib/python3.7/site-packages/google/cloud/spanner_v1/pool.py",line 536,in __enter__
self._session = self._pool.get(**self._kwargs)
File "/usr/local/lib/python3.7/site-packages/google/cloud/spanner_v1/pool.py",line 273,in get
session.create()
File "/usr/local/lib/python3.7/site-packages/google/cloud/spanner_v1/session.py",line 117,in create
session_pb = api.create_session(self._database.name,Metadata=Metadata,**kw)
File "/usr/local/lib/python3.7/site-packages/google/cloud/spanner_v1/gapic/spanner_client.py",line 307,in create_session
request,retry=retry,timeout=timeout,Metadata=Metadata
File "/usr/local/lib/python3.7/site-packages/google/api_core/gapic_v1/method.py",line 145,in __call__
return wrapped_func(*args,**kwargs)
File "/usr/local/lib/python3.7/site-packages/google/api_core/retry.py",line 286,in retry_wrapped_func
on_error=on_error,File "/usr/local/lib/python3.7/site-packages/google/api_core/retry.py",line 206,in retry_target
last_exc,File "<string>",line 3,in raise_from
google.api_core.exceptions.RetryError: Deadline of 3600.0s exceeded while calling functools.partial(<function _wrap_unary_errors.<locals>.error_remapped_callable at 0x7f8bff413ef0>,database: "projects/myproj-1501/instances/tfgen-spanid-2020585/databases/spanner-stage,Metadata=[('google-cloud-resource-prefix','projects/myproj-1501/instances/tfgen-spanid-2020585/databases/spanner-stage'),('x-goog-request-params','database=projects/myproj-1501/instances/tfgen-spanid-2020585/databases/spanner-stage'),('x-goog-api-client','gl-python/3.7.9 grpc/1.32.0 gax/1.22.2 gapic/1.17.1 gccl/1.17.1')]),last exception: 503 Getting Metadata from plugin Failed with error: ("Failed to retrieve http://Metadata.google.internal/computeMetadata/v1/instance/service-accounts/[email protected]/token from the Google Compute EngineMetadata service.
Status: 403 Response:\nb'Unable to generate access token; IAM returned 403 Forbidden: The caller does not have permission\\nThis error Could be caused by a missing IAM policy binding on the target IAM service account.
\\nFor more @R_313_4045@ion,refer to the Workload Identity documentation:\\n\\thttps://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#creating_a_relationship_between_ksas_and_gsas\\n\\n'",<google.auth.transport.requests._Response object at 0x7f8bfcb33810>)
有什么主意如何找出缺少的权限吗?哪个服务帐户需要此权限?
谢谢
解决方法
在this文章下,第2步说明了如何授予角色,并指向these角色之一。我怀疑您需要以下两个角色之一:
roles / spanner.admin
roles / spanner.databaseAdmin
此处列出的步骤太多,并且取决于帐户,但是第一篇文章中的步骤1向您展示了如何识别正确的服务帐户。请注意,GKE是GCE用户,因此服务帐户可能看起来就像是常规的“ Compute Engine”服务帐户。
,错误消息表明目标IAM服务帐户“ [email protected]”上可能缺少IAM策略绑定。您可以遵循Workload Identity documentation吗?
此外,您需要授予您的服务帐户访问Cloud Spanner数据库的权限。您可以按照here的说明进行操作。