wangdefa/tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: 更新 create_ai_projects.sh 脚本以改进服务账号和 API 密钥创建逻辑

Browse Source
This commit is contained in:
Wang Defa
2026-01-29 22:33:40 +08:00
parent 4b7e604313
commit fbc5e6edff
1 changed files with 120 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

154
gcp/create_ai_projects.sh
View File

@@ -280,23 +280,24 @@ enable_services() {
} }
# #
# 创建服务账号 # 创建服务账号(用于 API 密钥身份验证)
# #
create_service_account() { create_service_account() {
local project_id=$1 local project_id=$1
local max_retries=$2 local max_retries=$2
local retry_delay=$3 local retry_delay=$3
local sa_name="vertex-ai-runner"
local sa_email="${sa_name}@${project_id}.iam.gserviceaccount.com"
log_info "创建服务账号 service-account@$project_id.iam.gserviceaccount.com" log_info "创建服务账号 $sa_email"
# 检查服务账号是否已存在 if gcloud iam service-accounts describe "$sa_email" --project="$project_id" &>/dev/null; then
if gcloud iam service-accounts describe "service-account@$project_id.iam.gserviceaccount.com" --project="$project_id" &>/dev/null; then
log_warning "服务账号已存在,跳过创建" log_warning "服务账号已存在,跳过创建"
return 0 return 0
fi fi
if retry_command "$max_retries" "$retry_delay" gcloud iam service-accounts create service-account \ if retry_command "$max_retries" "$retry_delay" gcloud iam service-accounts create "$sa_name" \
--display-name="AI Platform Service Account" \ --display-name="Vertex AI Runner" \
--project="$project_id"; then --project="$project_id"; then
log_success "服务账号创建成功" log_success "服务账号创建成功"
return 0 return 0
@@ -307,48 +308,124 @@ create_service_account() {
} }
# #
# 添加 IAM 策略 # 授予服务账号 Vertex AI 角色
# #
add_iam_policy() { grant_vertex_ai_role() {
local project_id=$1 local project_id=$1
local max_retries=$2 local max_retries=$2
local retry_delay=$3 local retry_delay=$3
local sa_email="vertex-ai-runner@${project_id}.iam.gserviceaccount.com"
log_info "授予 aiplatform.serviceAgent 角色" log_info "授予 Vertex AI Platform Express User 角色"
if retry_command "$max_retries" "$retry_delay" gcloud projects add-iam-policy-binding "$project_id" \ if retry_command "$max_retries" "$retry_delay" gcloud projects add-iam-policy-binding "$project_id" \
--member="serviceAccount:service-account@$project_id.iam.gserviceaccount.com" \ --member="serviceAccount:$sa_email" \
--role="roles/aiplatform.serviceAgent"; then --role="roles/aiplatform.expressUser" \
log_success "IAM 策略授予成功" --condition=None; then
log_success "角色授予成功"
return 0 return 0
else else
log_error "授予 IAM 策略失败 (已重试)" log_error "授予角色失败 (已重试)"
return 1 return 1
fi fi
} }
# #
# 创建服务账号密钥 # 启用 API Keys 服务
# #
create_service_account_key() { enable_api_keys_service() {
local project_id=$1 local project_id=$1
local max_retries=$2 local max_retries=$2
local retry_delay=$3 local retry_delay=$3
log_info "创建服务账号密钥" log_info "启用 apikeys.googleapis.com 服务"
if retry_command "$max_retries" "$retry_delay" gcloud services enable apikeys.googleapis.com --project="$project_id"; then
log_success "API Keys 服务启用成功"
return 0
else
log_error "启用 apikeys.googleapis.com 服务失败 (已重试)"
return 1
fi
}
# 检查密钥文件是否已存在 #
if [ -f "pass-$project_id.json" ]; then # 创建 Google Cloud API 密钥(绑定服务账号)
log_warning "密钥文件 pass-$project_id.json 已存在,跳过创建" #
create_api_key() {
local project_id=$1
local max_retries=$2
local retry_delay=$3
local key_file="apikey-$project_id.txt"
local sa_email="vertex-ai-runner@${project_id}.iam.gserviceaccount.com"
log_info "创建 Google Cloud API 密钥(绑定服务账号 $sa_email"
if [ -f "$key_file" ]; then
log_warning "API 密钥文件 $key_file 已存在,跳过创建"
return 0 return 0
fi fi
if retry_command "$max_retries" "$retry_delay" gcloud iam service-accounts keys create "pass-$project_id.json" \ local key_name="vertex-ai-key"
--iam-account="service-account@$project_id.iam.gserviceaccount.com" \ local attempt=1
--project="$project_id"; then local create_success=false
log_success "服务账号密钥创建成功: pass-$project_id.json"
while [ $attempt -le "$max_retries" ]; do
log_info "尝试创建 API 密钥 (第 $attempt/$max_retries 次)"
local temp_error
temp_error=$(mktemp)
if gcloud services api-keys create \
--display-name="$key_name" \
--api-target=service=aiplatform.googleapis.com \
--service-account="$sa_email" \
--project="$project_id" 2>"$temp_error"; then
log_success "API 密钥创建命令执行成功"
rm -f "$temp_error"
create_success=true
break
else
log_warning "创建失败 (第 $attempt/$max_retries 次)"
if [ -s "$temp_error" ]; then
log_error "错误: $(cat "$temp_error")"
fi
rm -f "$temp_error"
if [ $attempt -lt "$max_retries" ]; then
log_info "将在 $retry_delay 秒后重试..."
sleep "$retry_delay"
fi
fi
((attempt++))
done
if [ "$create_success" != "true" ]; then
log_error "创建 API 密钥命令执行失败"
return 1
fi
log_info "等待 API 密钥创建完成..."
sleep 5
log_info "查找已创建的 API 密钥..."
local key_resource_name
key_resource_name=$(gcloud services api-keys list --project="$project_id" --filter="displayName=$key_name" --format="value(name)" 2>/dev/null | head -n 1)
if [ -z "$key_resource_name" ]; then
log_error "未找到已创建的 API 密钥"
return 1
fi
log_info "获取 API 密钥字符串: $key_resource_name"
local api_key_value
api_key_value=$(gcloud services api-keys get-key-string "$key_resource_name" --format="value(keyString)" 2>/dev/null)
if [ -n "$api_key_value" ]; then
echo "$api_key_value" > "$key_file"
log_success "API 密钥创建成功: $key_file"
return 0 return 0
else else
log_error "创建服务账号密钥失败 (已重试)" log_error "无法获取 API 密钥字符串"
return 1 return 1
fi fi
} }
@@ -359,6 +436,7 @@ START_NUM="$DEFAULT_START_NUM"
REPEAT_NUM="$DEFAULT_REPEAT_NUM" REPEAT_NUM="$DEFAULT_REPEAT_NUM"
MAX_RETRIES="$DEFAULT_MAX_RETRIES" MAX_RETRIES="$DEFAULT_MAX_RETRIES"
RETRY_DELAY="$DEFAULT_RETRY_DELAY" RETRY_DELAY="$DEFAULT_RETRY_DELAY"
DEBUG_MODE=false
# 解析命令行参数 # 解析命令行参数
while [[ $# -gt 0 ]]; do while [[ $# -gt 0 ]]; do
@@ -522,17 +600,25 @@ for i in $(seq "$START_NUM" "$END_NUM"); do
fi fi
if [ "$project_success" = true ]; then if [ "$project_success" = true ]; then
log_debug "步骤5: 添加IAM策略" log_debug "步骤5: 授予 Vertex AI 角色"
if ! add_iam_policy "$PROJECT_ID" "$MAX_RETRIES" "$RETRY_DELAY"; then if ! grant_vertex_ai_role "$PROJECT_ID" "$MAX_RETRIES" "$RETRY_DELAY"; then
log_debug "添加IAM策略失败" log_debug "授予角色失败"
project_success=false project_success=false
fi fi
fi fi
if [ "$project_success" = true ]; then if [ "$project_success" = true ]; then
log_debug "步骤6: 创建服务账号密钥" log_debug "步骤6: 启用 API Keys 服务"
if ! create_service_account_key "$PROJECT_ID" "$MAX_RETRIES" "$RETRY_DELAY"; then if ! enable_api_keys_service "$PROJECT_ID" "$MAX_RETRIES" "$RETRY_DELAY"; then
log_debug "创建服务账号密钥失败" log_debug "启用 API Keys 服务失败"
project_success=false
fi
fi
if [ "$project_success" = true ]; then
log_debug "步骤7: 创建 API 密钥"
if ! create_api_key "$PROJECT_ID" "$MAX_RETRIES" "$RETRY_DELAY"; then
log_debug "创建 API 密钥失败"
project_success=false project_success=false
fi fi
fi fi
@@ -540,10 +626,10 @@ for i in $(seq "$START_NUM" "$END_NUM"); do
# 统计结果 # 统计结果
if [ "$project_success" = true ]; then if [ "$project_success" = true ]; then
log_success "项目 $PROJECT_ID 所有操作处理完成" log_success "项目 $PROJECT_ID 所有操作处理完成"
((successful_projects++)) ((successful_projects++)) || true
else else
log_warning "项目 $PROJECT_ID 处理过程中出现错误,部分操作可能未完成。" log_warning "项目 $PROJECT_ID 处理过程中出现错误,部分操作可能未完成。"
((failed_projects++)) ((failed_projects++)) || true
fi fi
# 添加延迟,避免 API 限制 # 添加延迟,避免 API 限制
@@ -567,8 +653,8 @@ if [ "$successful_projects" -gt 0 ]; then
log_success "成功创建的项目:" log_success "成功创建的项目:"
for i in $(seq "$START_NUM" "$END_NUM"); do for i in $(seq "$START_NUM" "$END_NUM"); do
PROJECT_ID="${PROJECT_ID_PREFIX}$(printf "%02d" "$i")" PROJECT_ID="${PROJECT_ID_PREFIX}$(printf "%02d" "$i")"
if [ -f "pass-$PROJECT_ID.json" ]; then if [ -f "apikey-$PROJECT_ID.txt" ]; then
log_info "$PROJECT_ID (密钥文件: pass-$PROJECT_ID.json)" log_info "$PROJECT_ID (API 密钥文件: apikey-$PROJECT_ID.txt)"
fi fi
done done
fi fi