[英]Unable to assign iam.serviceAccounts.signBlob permission
TLDR; TLDR; I'm having trouble assigning an IAM permission to a service account.
我在为服务帐号分配 IAM 权限时遇到问题。
I'm building a test that involves minting custom tokens with firebase Auth.我正在构建一个测试,涉及使用 firebase Auth 生成自定义令牌。 When I hit:
当我打:
const token = await admin.auth().createCustomToken('test', {
isAdmin: true,
})
the following error is thrown抛出以下错误
Permission iam.serviceAccounts.signBlob is required to perform
this operation on service account
projects/-/serviceAccounts/dashboard@appspot.gserviceaccount.com.;
Please refer to
https://firebase.google.com/docs/auth/admin/create-custom-tokens
for more details on how to use and troubleshoot this feature
In the referenced documentation it says to add the Service Account Token Creator role to the service account.在引用的文档中,它说将服务帐户令牌创建者角色添加到服务帐户。 I have added that role (as well as tried Service Account Admin to no avail.
我已经添加了该角色(以及尝试服务帐户管理员无济于事。
I can verify that my permissions seem to be correctly set, when I run gcloud projects get-iam-policy project
I can see my service account attached to the desired role我可以验证我的权限似乎设置正确,当我运行
gcloud projects get-iam-policy project
我可以看到我的服务帐户附加到所需的角色
- members:
- serviceAccount:dashboard@appspot.gserviceaccount.com
role: roles/iam.serviceAccountTokenCreator
However if I look at that specific service account, it seems to show up empty which would fall in line with my error:但是,如果我查看该特定服务帐户,它似乎显示为空,这与我的错误一致:
gcloud iam service-accounts get-iam-policy dashboard@appspot.gserviceaccount.com
etag: ACAB
I assume that whatever is causing my service account permissions to show up blank is the culprit, but I'm not sure where to debug further.我认为导致我的服务帐户权限显示为空白的原因是罪魁祸首,但我不确定在哪里进一步调试。 It seems to me the only difference is one command is called with a project in it, but I initialize my firebase app with the project id, and have verified it with
(firebase-admin).apps[0].options
so it seems like a dead end.在我看来,唯一的区别是一个命令被调用,其中包含一个项目,但我使用项目 ID 初始化了我的 firebase 应用程序,并使用
(firebase-admin).apps[0].options
对其进行了验证,因此看起来像死胡同。
Firebase mentions about this error on its docs: Firebase 在其文档中提到了这个错误:
https://firebase.google.com/docs/auth/admin/create-custom-tokens#failed_to_determine_service_account https://firebase.google.com/docs/auth/admin/create-custom-tokens#failed_to_determine_service_account
You must initialize your app correctly through a JSON config file.您必须通过 JSON 配置文件正确初始化您的应用程序。
A simple fix would be:一个简单的解决方法是:
In a few minutes your project will be able to create signed tokens.几分钟后,您的项目将能够创建签名令牌。
The sign
feature of a service account requires the iam.serviceAccounts.signBlob
permission.服务帐户的
sign
功能需要iam.serviceAccounts.signBlob
权限。 This permission is included in the Service Account Token role roles/iam.serviceAccountTokenCreator
此权限包含在服务帐户令牌角色
roles/iam.serviceAccountTokenCreator
You can assign this role at the "project" level or at the "service account" level.您可以在“项目”级别或“服务帐户”级别分配此角色。 This is why you see different results.
这就是为什么你会看到不同的结果。 Assigning roles at the project level affects permissions for all service accounts.
在项目级别分配角色会影响所有服务帐号的权限。 Assigning roles at the service account only affects that service account.
在服务帐户上分配角色只会影响该服务帐户。
The key to your problem is that the caller does not have this role on service account dashboard@appspot.gserviceaccount.com
.您的问题的关键是调用者在服务帐户
dashboard@appspot.gserviceaccount.com
上没有这个角色。 You have given the service account permission and NOT the caller.您已授予服务帐户权限,而不是调用方。 Look into your code for the service account that you used to setup the Firebase SDK.
查看用于设置 Firebase SDK 的服务帐户的代码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.