简体   繁体   English

在google pubsub中设置gmail的发布权限,拒绝权限

[英]Set publish rights for gmail in google pubsub gives permission denied

I'm trying to set publish permissions for gmail to a pubsub topic in google cloud. 我正在尝试将gmail的发布权限设置为google云中的pubsub主题。 The application where I implemented this code is running in AWS. 我实现此代码的应用程序在AWS中运行。 It's a PHP application and I'm using version 2.0.0-RC7 of the google PHP api client. 这是一个PHP应用程序,我使用的是谷歌PHP api客户端的2.0.0-RC7版本。

In code, I implemented the flow as described in the documentation: 在代码中,我按照文档中的描述实现了流程:

  • Create a topic (Works) 创建主题(Works)
  • Create a subscription (works) 创建订阅(工作)
  • Grant publish rights to gmail (here I get stuck) 授予gmail发布权限(这里我被卡住了)

The first two actions are done with the same google client instance, that is authenticated with the service account credentials. 前两个操作是使用相同的Google客户端实例完成的,该实例使用服务帐户凭据进行身份验证。

The code: 编码:

$scopes = [
    'https://www.googleapis.com/auth/pubsub',
    'https://mail.google.com',
];
$pushEndpoint = 'https://some.url/google_notifications/';

$client = new Google_Client();
$client->setScopes($scopes);
$client->setAuthConfig($serviceAccountInfo);
if ($client->isAccessTokenExpired()) {
    $client->refreshTokenWithAssertion();
}
$service = new Google_Service_Pubsub($client);

// This part works
$topicObject = new Google_Service_Pubsub_Topic();
$topicObject->setName($this->getTopicName());
$service->projects_topics->create($this->getTopicName(), $topic);

// This part also works
$push = new Google_Service_Pubsub_PushConfig();
$push->setPushEndpoint($pushEndpoint);

$subscription = new Google_Service_Pubsub_Subscription();
$subscription->setName($this->getSubscriptionName());
$subscription->setTopic($this->getTopicName());
$subscription->setPushConfig($push);
$service->projects_subscriptions->create($this->getSubscriptionName(), $subscription);

// This part gives the error
$binding = new Google_Service_Pubsub_Binding();
$binding->setRole('roles/pubsub.publisher');
$binding->setMembers(['serviceAccount:gmail-api-push@system.gserviceaccount.com']);

$policy = new Google_Service_Pubsub_Policy();
$policy->setBindings([$binding]);

$setRequest = new Google_Service_Pubsub_SetIamPolicyRequest();
$setRequest->setPolicy($policy);

try {
    $result = $service->projects_topics->setIamPolicy($this->getTopicName(), $setRequest);
    var_dump($result);
} catch (\Exception $e) {
    echo $e->getMessage();
}

The result is always: 结果总是:

{
  "error": {
    "code": 403,
    "message": "User not authorized to perform this action.",
    "errors": [
      {
        "message": "User not authorized to perform this action.",
        "domain": "global",
        "reason": "forbidden"
      }
    ],
    "status": "PERMISSION_DENIED"
  }
}

Can someone tell me what I'm doing wrong ? 有人能告诉我我做错了什么吗? It's really annoying to set those permissions by hand all the time. 手动设置这些权限真的很烦人。

Thanks. 谢谢。

To use projects.topics.setIamPolicy method your service account must have a "Pub/Sub Admin" role. 要使用projects.topics.setIamPolicy方法,您的服务帐户必须具有“发布/订阅管理员”角色。 You can change a role of the account by visiting "IAM & admin" page for your project: https://console.cloud.google.com/iam-admin/iam 您可以通过访问项目的“IAM&admin”页面来更改帐户的角色: https//console.cloud.google.com/iam-admin/iam

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM