Я включил функцию входа в систему на одном из экземпляров прокси-сервера vm. Но я не могу использовать SSH, потому что мне пришлось добавить свой открытый ключ в вычисление следующим образом:
gcloud compute os-login ssh-keys add --key-file=~/.ssh/google_compute.pub --ttl=365d
Он говорит:
ERROR: (gcloud.compute.os-login.ssh-keys.add) User [[email protected]] does not have permission to access users instance [[email protected]:importSshPublicKey] (or it may not exist): Insufficient IAM permissions. The instance belongs to an external organization. You must be granted the roles/compute.osLoginExternalUser IAM role on the external organization to configure POSIX account information.
поэтому я проверил дальше, и все мои проекты не имеют организации, в которой указано Нет организации, поэтому я использую команду ниже, чтобы добавить разрешение osLoginExternalUser, но,
gcloud beta compute instances add-iam-policy-binding vm-instance-name --zone=us-central1-a --member='user:[email protected]' --role='roles/compute.osLoginExternalUser'
но это приводит к ошибке ниже,
ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.beta.compute.instances.add-iam-policy-binding) HTTPError 400: Role roles/compute.osLoginExternalUser is not supported for this resource.
в чем дело!!! Пожалуйста помоги.
+ Добавление информации о проекте с помощью команды
gcloud compute project-info describe
commonInstanceMetadata:
fingerprint: NzXW3s3apL4=
items:
- key: ssh-keys
value: |
user:ssh-rsa ... google-ssh {"userName":"[email protected]","expireOn":"2021-03-04T10:55:54+0000"}
user:ecdsa-sha2-nistp256 ...= google-ssh {"userName":"[email protected]","expireOn":"2021-03-04T10:55:53+0000"}
user:ssh-rsa ... user@cs-1234-default-default-8fz65
user:ssh-rsa .. A\user@PCNAME
- key: sshKeys
value: |2-
....
kind: compute#metadata
defaultNetworkTier: PREMIUM
defaultServiceAccount: [email protected]
id: '1234'
kind: compute#project
name: project-name
quotas:
- limit: 25000.0
metric: SNAPSHOTS
usage: 0.0
- limit: 50.0
metric: NETWORKS
usage: 9.0
- limit: 500.0
metric: FIREWALLS
usage: 12.0
- limit: 10000.0
metric: IMAGES
usage: 0.0
- limit: 700.0
metric: STATIC_ADDRESSES
usage: 1.0
- limit: 500.0
metric: ROUTES
usage: 10.0
- limit: 375.0
metric: FORWARDING_RULES
usage: 2.0
- limit: 1250.0
metric: TARGET_POOLS
usage: 0.0
- limit: 1250.0
metric: HEALTH_CHECKS
usage: 4.0
- limit: 2300.0
metric: IN_USE_ADDRESSES
usage: 2.0
- limit: 1250.0
metric: TARGET_INSTANCES
usage: 0.0
- limit: 250.0
metric: TARGET_HTTP_PROXIES
usage: 2.0
- limit: 250.0
metric: URL_MAPS
usage: 2.0
- limit: 75.0
metric: BACKEND_SERVICES
usage: 4.0
- limit: 2500.0
metric: INSTANCE_TEMPLATES
usage: 6.0
- limit: 125.0
metric: TARGET_VPN_GATEWAYS
usage: 0.0
- limit: 250.0
metric: VPN_TUNNELS
usage: 0.0
- limit: 75.0
metric: BACKEND_BUCKETS
usage: 0.0
- limit: 20.0
metric: ROUTERS
usage: 0.0
- limit: 250.0
metric: TARGET_SSL_PROXIES
usage: 0.0
- limit: 250.0
metric: TARGET_HTTPS_PROXIES
usage: 0.0
- limit: 250.0
metric: SSL_CERTIFICATES
usage: 0.0
- limit: 275.0
metric: SUBNETWORKS
usage: 174.0
- limit: 250.0
metric: TARGET_TCP_PROXIES
usage: 0.0
- limit: 10.0
metric: SECURITY_POLICIES
usage: 0.0
- limit: 200.0
metric: SECURITY_POLICY_RULES
usage: 0.0
- limit: 1000.0
metric: XPN_SERVICE_PROJECTS
usage: 0.0
- limit: 375.0
metric: PACKET_MIRRORINGS
usage: 0.0
- limit: 2500.0
metric: NETWORK_ENDPOINT_GROUPS
usage: 0.0
- limit: 6.0
metric: INTERCONNECTS
usage: 0.0
- limit: 5000.0
metric: GLOBAL_INTERNAL_ADDRESSES
usage: 11.0
- limit: 125.0
metric: VPN_GATEWAYS
usage: 0.0
- limit: 10000.0
metric: MACHINE_IMAGES
usage: 0.0
- limit: 20.0
metric: SECURITY_POLICY_CEVAL_RULES
usage: 0.0
- limit: 125.0
metric: EXTERNAL_VPN_GATEWAYS
usage: 0.0
- limit: 1.0
metric: PUBLIC_ADVERTISED_PREFIXES
usage: 0.0
- limit: 10.0
metric: PUBLIC_DELEGATED_PREFIXES
usage: 0.0
- limit: 1024.0
metric: STATIC_BYOIP_ADDRESSES
usage: 0.0
- limit: 375.0
metric: INTERNAL_TRAFFIC_DIRECTOR_FORWARDING_RULES
usage: 0.0
selfLink: https://www.googleapis.com/compute/v1/projects/project-name
xpnProjectStatus: UNSPECIFIED_XPN_PROJECT_STATUS
user@cs-154457833976-default-default-gl5qv:~$ commonInstanceMetadata:
-bash: commonInstanceMetadata:: command not found
user@cs-154457833976-default-default-gl5qv:~$ fingerprint: NzXW3s3apL4=
-bash: fingerprint:: command not found
user@cs-154457833976-default-default-gl5qv:~$ items:
-bash: items:: command not found
user@cs-154457833976-default-default-gl5qv:~$ fingerprint: NzXW3s3apL4=
-bash: fingerprint:: command not found
user@cs-154457833976-default-default-gl5qv:~$ items:
-bash: items:: command not found
user@cs-154457833976-default-default-gl5qv:~$ - key: ssh-keys
-bash: -: command not found
user@cs-154457833976-default-default-gl5qv:~$ value: |
> user:ssh-rsa ...= google-ssh {"userName":"[email protected]","expireOn":"2021-03-04T10:55:54+0000"}
-bash: value:: command not found
-bash: user:ssh-rsa: command not found
user@cs-154457833976-default-default-gl5qv:~$ user:ecdsa-sha2-nistp256 ...= google-ssh {"userName":"[email protected]","expireOn":"2021-03-04T10:55:53+0000"}
-bash: user:ecdsa-sha2-nistp256: command not found
user@cs-154457833976-default-default-gl5qv:~$ user:ssh-rsa ... user@cs-154457833976-default-default-8fz65
-bash: user:ssh-rsa: command not found
user@cs-154457833976-default-default-gl5qv:~$ user:ssh-rsa ... A\user@PCNAME
-bash: user:ssh-rsa: command not found
user@cs-154457833976-default-default-gl5qv:~$ - key: sshKeys
-bash: -: command not found
+ Добавление дополнительных разрешений проекта IAM:
gcloud projects get-iam-policy test-project
bindings:
- members:
- serviceAccount:[email protected]
role: roles/cloudsql.editor
- members:
- user:[email protected]
role: roles/compute.osAdminLogin
- members:
- user:[email protected]
role: roles/owner
etag: BwW8ubx4adY=
version: 1
roles/compute.osLoginExternalUserне поддерживается для ресурсов Compute Engine, только на уровне организации. 2) Вместо этого предоставьте рольroles/compute.osLoginресурсу Compute Engine. 3) Для этой ошибкиThe instance belongs to an external organization.мне понадобится дополнительная информация о проекте и личности пользователя. Отредактируйте свой вопрос с подробностями. - person John Hanley schedule 05.03.2021