Я создал виртуальную машину, используя облачную функцию, а экземпляр облачной функции и вычислительный экземпляр были созданы с использованием одной и той же учетной записи службы (SA). Этому SA я предоставил Compute Instance Admin (beta) роль IAM. В журналах драйверов стека я вижу ниже ошибки при попытке создать виртуальную машину. Я заметил, что если я предоставлю роль Editor SA, я смогу создать виртуальную машину. Я не уверен, в чем здесь проблема. Пожалуйста, совет.
**LOG 1** - Compute Engine insert us-central1-a:abc20200408180340 YY@XXXX.iam.gserviceaccount.com INVALID_ARGUMENT
full log message -
{
insertId: "50eye6dadjc"
logName: "projects/XXXX/logs/cloudaudit.googleapis.com%2Factivity"
operation: {
id: "operation-1586369020768-5a2cb51f731c4-4c38b6fc-0bb59fb4"
last: true
producer: "compute.googleapis.com"
}
protoPayload: {
@type: "type.googleapis.com/google.cloud.audit.AuditLog"
authenticationInfo: {
principalEmail: "YY@XXXX.iam.gserviceaccount.com"
}
methodName: "v1.compute.instances.insert"
request: {
@type: "type.googleapis.com/compute.instances.insert"
}
requestMetadata: {
callerIp: "2600:1900:2001:2::b"
callerSuppliedUserAgent: "(gzip),gzip(gfe)"
destinationAttributes: {
}
requestAttributes: {
}
}
resourceName: "projects/XXXX/zones/us-central1-a/instances/abc20200408180340"
serviceName: "compute.googleapis.com"
status: {
code: 3
message: "INVALID_ARGUMENT"
}
}
receiveTimestamp: "2020-04-08T18:03:51.502654357Z"
resource: {
labels: {
instance_id: "894148589006335762"
project_id: "XXXX"
zone: "us-central1-a"
}
type: "gce_instance"
}
severity: "ERROR"
timestamp: "2020-04-08T18:03:50.428Z"
}
**LOG 2** - 2020-04-08 13:03:50.699 CDT compute.instances.insert {"version":"1.2","error":[{"location":"","code":"SERVICE_ACCOUNT_ACCESS_DENIED","detail_message":""}],"event_timestamp_us":"1586369030699874","actor":{"user":"YY@XXXX.iam.gserviceaccount.com"},"resource":{"type":"instance","zone":"us-central1-a","id":"894148589006335762","name":"ba…
full log message -
{
insertId: "6o45gig1jthjep"
jsonPayload: {
actor: {
user: "YY@XXXX.iam.gserviceaccount.com"
}
error: [
0: {
code: "SERVICE_ACCOUNT_ACCESS_DENIED"
detail_message: ""
location: ""
}
]
event_subtype: "compute.instances.insert"
event_timestamp_us: "1586369030699874"
event_type: "GCE_OPERATION_DONE"
operation: {
id: "8573989519473487634"
name: "operation-1586369020768-5a2cb51f731c4-4c38b6fc-0bb59fb4"
type: "operation"
zone: "us-central1-a"
}
resource: {
id: "894148589006335762"
name: "abc20200408180340"
type: "instance"
zone: "us-central1-a"
}
trace_id: "operation-1586369020768-5a2cb51f731c4-4c38b6fc-0bb59fb4"
version: "1.2"
}
labels: {
compute.googleapis.com/resource_id: "894148589006335762"
compute.googleapis.com/resource_name: "abc20200408180340"
compute.googleapis.com/resource_type: "instance"
compute.googleapis.com/resource_zone: "us-central1-a"
}
logName: "projects/XXXX/logs/compute.googleapis.com%2Factivity_log"
receiveTimestamp: "2020-04-08T18:03:50.816357854Z"
resource: {
labels: {
instance_id: "894148589006335762"
project_id: "XXXX"
zone: "us-central1-a"
}
type: "gce_instance"
}
severity: "ERROR"
timestamp: "2020-04-08T18:03:50.699874Z"
}