From fbc5e6edff3dc3a162562c46b1ea4536dac1341b Mon Sep 17 00:00:00 2001 From: Wang Defa Date: Thu, 29 Jan 2026 22:33:40 +0800 Subject: [PATCH] =?UTF-8?q?fix:=20=E6=9B=B4=E6=96=B0=20create=5Fai=5Fproje?= =?UTF-8?q?cts.sh=20=E8=84=9A=E6=9C=AC=E4=BB=A5=E6=94=B9=E8=BF=9B=E6=9C=8D?= =?UTF-8?q?=E5=8A=A1=E8=B4=A6=E5=8F=B7=E5=92=8C=20API=20=E5=AF=86=E9=92=A5?= =?UTF-8?q?=E5=88=9B=E5=BB=BA=E9=80=BB=E8=BE=91?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- gcp/create_ai_projects.sh | 154 +++++++++++++++++++++++++++++--------- 1 file changed, 120 insertions(+), 34 deletions(-) diff --git a/gcp/create_ai_projects.sh b/gcp/create_ai_projects.sh index 101d4cd..78fee29 100644 --- a/gcp/create_ai_projects.sh +++ b/gcp/create_ai_projects.sh @@ -280,23 +280,24 @@ enable_services() { } # -# 创建服务账号 +# 创建服务账号(用于 API 密钥身份验证) # create_service_account() { local project_id=$1 local max_retries=$2 local retry_delay=$3 + local sa_name="vertex-ai-runner" + local sa_email="${sa_name}@${project_id}.iam.gserviceaccount.com" - log_info "创建服务账号 service-account@$project_id.iam.gserviceaccount.com" + log_info "创建服务账号 $sa_email" - # 检查服务账号是否已存在 - if gcloud iam service-accounts describe "service-account@$project_id.iam.gserviceaccount.com" --project="$project_id" &>/dev/null; then + if gcloud iam service-accounts describe "$sa_email" --project="$project_id" &>/dev/null; then log_warning "服务账号已存在,跳过创建" return 0 fi - if retry_command "$max_retries" "$retry_delay" gcloud iam service-accounts create service-account \ - --display-name="AI Platform Service Account" \ + if retry_command "$max_retries" "$retry_delay" gcloud iam service-accounts create "$sa_name" \ + --display-name="Vertex AI Runner" \ --project="$project_id"; then log_success "服务账号创建成功" return 0 @@ -307,48 +308,124 @@ create_service_account() { } # -# 添加 IAM 策略 +# 授予服务账号 Vertex AI 角色 # -add_iam_policy() { +grant_vertex_ai_role() { local project_id=$1 local max_retries=$2 local retry_delay=$3 + local sa_email="vertex-ai-runner@${project_id}.iam.gserviceaccount.com" - log_info "授予 aiplatform.serviceAgent 角色" + log_info "授予 Vertex AI Platform Express User 角色" if retry_command "$max_retries" "$retry_delay" gcloud projects add-iam-policy-binding "$project_id" \ - --member="serviceAccount:service-account@$project_id.iam.gserviceaccount.com" \ - --role="roles/aiplatform.serviceAgent"; then - log_success "IAM 策略授予成功" + --member="serviceAccount:$sa_email" \ + --role="roles/aiplatform.expressUser" \ + --condition=None; then + log_success "角色授予成功" return 0 else - log_error "授予 IAM 策略失败 (已重试)" + log_error "授予角色失败 (已重试)" return 1 fi } # -# 创建服务账号密钥 +# 启用 API Keys 服务 # -create_service_account_key() { +enable_api_keys_service() { local project_id=$1 local max_retries=$2 local retry_delay=$3 - log_info "创建服务账号密钥" + log_info "启用 apikeys.googleapis.com 服务" + if retry_command "$max_retries" "$retry_delay" gcloud services enable apikeys.googleapis.com --project="$project_id"; then + log_success "API Keys 服务启用成功" + return 0 + else + log_error "启用 apikeys.googleapis.com 服务失败 (已重试)" + return 1 + fi +} - # 检查密钥文件是否已存在 - if [ -f "pass-$project_id.json" ]; then - log_warning "密钥文件 pass-$project_id.json 已存在,跳过创建" +# +# 创建 Google Cloud API 密钥(绑定服务账号) +# +create_api_key() { + local project_id=$1 + local max_retries=$2 + local retry_delay=$3 + local key_file="apikey-$project_id.txt" + local sa_email="vertex-ai-runner@${project_id}.iam.gserviceaccount.com" + + log_info "创建 Google Cloud API 密钥(绑定服务账号 $sa_email)" + + if [ -f "$key_file" ]; then + log_warning "API 密钥文件 $key_file 已存在,跳过创建" return 0 fi - if retry_command "$max_retries" "$retry_delay" gcloud iam service-accounts keys create "pass-$project_id.json" \ - --iam-account="service-account@$project_id.iam.gserviceaccount.com" \ - --project="$project_id"; then - log_success "服务账号密钥创建成功: pass-$project_id.json" + local key_name="vertex-ai-key" + local attempt=1 + local create_success=false + + while [ $attempt -le "$max_retries" ]; do + log_info "尝试创建 API 密钥 (第 $attempt/$max_retries 次)" + + local temp_error + temp_error=$(mktemp) + + if gcloud services api-keys create \ + --display-name="$key_name" \ + --api-target=service=aiplatform.googleapis.com \ + --service-account="$sa_email" \ + --project="$project_id" 2>"$temp_error"; then + + log_success "API 密钥创建命令执行成功" + rm -f "$temp_error" + create_success=true + break + else + log_warning "创建失败 (第 $attempt/$max_retries 次)" + if [ -s "$temp_error" ]; then + log_error "错误: $(cat "$temp_error")" + fi + rm -f "$temp_error" + + if [ $attempt -lt "$max_retries" ]; then + log_info "将在 $retry_delay 秒后重试..." + sleep "$retry_delay" + fi + fi + ((attempt++)) + done + + if [ "$create_success" != "true" ]; then + log_error "创建 API 密钥命令执行失败" + return 1 + fi + + log_info "等待 API 密钥创建完成..." + sleep 5 + + log_info "查找已创建的 API 密钥..." + local key_resource_name + key_resource_name=$(gcloud services api-keys list --project="$project_id" --filter="displayName=$key_name" --format="value(name)" 2>/dev/null | head -n 1) + + if [ -z "$key_resource_name" ]; then + log_error "未找到已创建的 API 密钥" + return 1 + fi + + log_info "获取 API 密钥字符串: $key_resource_name" + local api_key_value + api_key_value=$(gcloud services api-keys get-key-string "$key_resource_name" --format="value(keyString)" 2>/dev/null) + + if [ -n "$api_key_value" ]; then + echo "$api_key_value" > "$key_file" + log_success "API 密钥创建成功: $key_file" return 0 else - log_error "创建服务账号密钥失败 (已重试)" + log_error "无法获取 API 密钥字符串" return 1 fi } @@ -359,6 +436,7 @@ START_NUM="$DEFAULT_START_NUM" REPEAT_NUM="$DEFAULT_REPEAT_NUM" MAX_RETRIES="$DEFAULT_MAX_RETRIES" RETRY_DELAY="$DEFAULT_RETRY_DELAY" +DEBUG_MODE=false # 解析命令行参数 while [[ $# -gt 0 ]]; do @@ -522,17 +600,25 @@ for i in $(seq "$START_NUM" "$END_NUM"); do fi if [ "$project_success" = true ]; then - log_debug "步骤5: 添加IAM策略" - if ! add_iam_policy "$PROJECT_ID" "$MAX_RETRIES" "$RETRY_DELAY"; then - log_debug "添加IAM策略失败" + log_debug "步骤5: 授予 Vertex AI 角色" + if ! grant_vertex_ai_role "$PROJECT_ID" "$MAX_RETRIES" "$RETRY_DELAY"; then + log_debug "授予角色失败" project_success=false fi fi if [ "$project_success" = true ]; then - log_debug "步骤6: 创建服务账号密钥" - if ! create_service_account_key "$PROJECT_ID" "$MAX_RETRIES" "$RETRY_DELAY"; then - log_debug "创建服务账号密钥失败" + log_debug "步骤6: 启用 API Keys 服务" + if ! enable_api_keys_service "$PROJECT_ID" "$MAX_RETRIES" "$RETRY_DELAY"; then + log_debug "启用 API Keys 服务失败" + project_success=false + fi + fi + + if [ "$project_success" = true ]; then + log_debug "步骤7: 创建 API 密钥" + if ! create_api_key "$PROJECT_ID" "$MAX_RETRIES" "$RETRY_DELAY"; then + log_debug "创建 API 密钥失败" project_success=false fi fi @@ -540,10 +626,10 @@ for i in $(seq "$START_NUM" "$END_NUM"); do # 统计结果 if [ "$project_success" = true ]; then log_success "项目 $PROJECT_ID 所有操作处理完成" - ((successful_projects++)) + ((successful_projects++)) || true else log_warning "项目 $PROJECT_ID 处理过程中出现错误,部分操作可能未完成。" - ((failed_projects++)) + ((failed_projects++)) || true fi # 添加延迟,避免 API 限制 @@ -567,8 +653,8 @@ if [ "$successful_projects" -gt 0 ]; then log_success "成功创建的项目:" for i in $(seq "$START_NUM" "$END_NUM"); do PROJECT_ID="${PROJECT_ID_PREFIX}$(printf "%02d" "$i")" - if [ -f "pass-$PROJECT_ID.json" ]; then - log_info " ✓ $PROJECT_ID (密钥文件: pass-$PROJECT_ID.json)" + if [ -f "apikey-$PROJECT_ID.txt" ]; then + log_info " ✓ $PROJECT_ID (API 密钥文件: apikey-$PROJECT_ID.txt)" fi done fi