无法从gke pod/gce vm访问cloudbilling.googleapis.com
目前,我们在GKE POD中运行的Terraform管道中看到了一个问题,该数据源在内部调用CloudBilling.googleapis.com返回“您的客户端无权获取URL”。
我们已经在帐单帐户查看器许可的情况下将ServiceAccount添加到帐单帐户中,但仍然看到相同的行为(服务帐户具有所有其他必需的权限)。对云计费API的简单卷曲请求也返回相同的错误,我们在GKE POD&中观察到了此错误。 GCP VM。
以前,我们使用云构建私人工人池运行Terraform代码,并且能够毫无问题地访问所有API。
对没有身份验证标头的API请求(也观察到与Auth令牌的相同行为)
root@istio-ingressgateway-5944b79fdc-9fp67:/# curl https://cloudbilling.googleapis.com/v1/projects/test-projet/billingInfo
<!DOCTYPE html>
<html lang=en>
<meta charset=utf-8>
<meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
<title>Error 403 (Forbidden)!!1</title>
<style>
*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
</style>
<a href=//www.google.com/><span id=logo aria-label=Google></span></a>
<p><b>403.</b> <ins>That’s an error.</ins>
<p>Your client does not have permission to get URL <code>/v1/projects/test-project/billingInfo</code> from this server. <ins>That’s all we know.</ins>
对其他API的呼叫正在正常工作,
root@istio-ingressgateway-5944b79fdc-9fp67:/# curl https://monitoring.googleapis.com/v3/projects/test-project/notificationChannels/6321545542211742323
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "CREDENTIALS_MISSING",
"domain": "googleapis.com",
"metadata": {
"method": "google.monitoring.v3.NotificationChannelService.GetNotificationChannel",
"service": "monitoring.googleapis.com"
}
}
]
}
}
root@istio-ingressgateway-5944b79fdc-9fp67:/#
我们正在使用VPC SC,并且在子网上启用了Google Private Access。有没有人面对这个问题?解决此问题的推荐步骤/配置是什么?
We are currently seeing an issue in terraform pipelines running in GKE pods where the datasource internally calling the cloudbilling.googleapis.com returns "Your client does not have permission to get URL".
We have added the serviceaccount to the billing account with Billing Account Viewer permission but still seeing the same behaviour(The service account has all other required permissions). A simple curl request to the cloud billing API also returns the same error and we observed this error in GKE Pod & GCP VM as well.
Previously we were running the terraform code using cloud build private worker pools and were able to access all the API's without any issues.
Request to the API without the authentication header(observed the same behaviour with auth token as well)
root@istio-ingressgateway-5944b79fdc-9fp67:/# curl https://cloudbilling.googleapis.com/v1/projects/test-projet/billingInfo
<!DOCTYPE html>
<html lang=en>
<meta charset=utf-8>
<meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
<title>Error 403 (Forbidden)!!1</title>
<style>
*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
</style>
<a href=//www.google.com/><span id=logo aria-label=Google></span></a>
<p><b>403.</b> <ins>That’s an error.</ins>
<p>Your client does not have permission to get URL <code>/v1/projects/test-project/billingInfo</code> from this server. <ins>That’s all we know.</ins>
Calls to other API's are working as expected
root@istio-ingressgateway-5944b79fdc-9fp67:/# curl https://monitoring.googleapis.com/v3/projects/test-project/notificationChannels/6321545542211742323
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "CREDENTIALS_MISSING",
"domain": "googleapis.com",
"metadata": {
"method": "google.monitoring.v3.NotificationChannelService.GetNotificationChannel",
"service": "monitoring.googleapis.com"
}
}
]
}
}
root@istio-ingressgateway-5944b79fdc-9fp67:/#
We are using VPC SC and Google private access is enabled on the subnets. Did anyone face this issue and what is the recommended steps/config to resolve this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
在为CloudBilling.googleapis.com配置Cloud DNS响应策略之后,我们能够解决此问题,以前的Google Access设置使用了限制。
我们必须删除用于Google私人访问的私人区域设置,并配置CloudBilling.googleapis.com和 *.googleapis.com
附加的响应策略是响应策略配置的屏幕截图,设置了API的其他响应策略规则不涵盖SC。
注意:Terraform Google_dns_response_policy_rule当前不支持过速行为,因此必须使用localdata,您可以在此问题上使用passthrough行为,一旦此问题已固定 https://github.com/hashicorp/hashicorp/hashicorp/terraform-provider-google/google/sissues/issues/11193
We are able to resolve this issue after configuring the cloud DNS response policy for cloudbilling.googleapis.com, The previous private google access setup used the restricted.googleapis.com which is not supporting cloudbilling.googleapis.com.
We had to remove the private zone setup for the google private access and configure response policies for cloudbilling.googleapis.com and *.googleapis.com
Attached are the screenshots of the response policy configuration and the setup additional response policy rules for the API's that are not covered under SC.
Note: The terraform google_dns_response_policy_rule is currently not supporting passthrough behaviour so had to use the localdata, you can able to use passthrough behaviour for the API's once this issue is fixed https://github.com/hashicorp/terraform-provider-google/issues/11193