堆栈内存溢出
  简体   繁体   English

无法分配 iam.serviceAccounts.signBlob 权限

[英]Unable to assign iam.serviceAccounts.signBlob permission

 原文  2019-08-19 22:10:54       google-cloud-platform/ firebase-authentication/ google-iam/ google-cloud-iam

问题描述

TLDR; TLDR; I'm having trouble assigning an IAM permission to a service account.我在为服务帐号分配 IAM 权限时遇到问题。

I'm building a test that involves minting custom tokens with firebase Auth.我正在构建一个测试,涉及使用 firebase Auth 生成自定义令牌。 When I hit:当我打:

  const token = await admin.auth().createCustomToken('test', {
    isAdmin: true,
  })

the following error is thrown抛出以下错误

Permission iam.serviceAccounts.signBlob is required to perform
this operation on service account 
projects/-/serviceAccounts/dashboard@appspot.gserviceaccount.com.;
Please refer to 
https://firebase.google.com/docs/auth/admin/create-custom-tokens
for more details on how to use and troubleshoot this feature

In the referenced documentation it says to add the Service Account Token Creator role to the service account.引用的文档中,它说将服务帐户令牌创建者角色添加到服务帐户。 I have added that role (as well as tried Service Account Admin to no avail.我已经添加了该角色(以及尝试服务帐户管理员无济于事。
图片验证权限

I can verify that my permissions seem to be correctly set, when I run gcloud projects get-iam-policy project I can see my service account attached to the desired role我可以验证我的权限似乎设置正确,当我运行gcloud projects get-iam-policy project我可以看到我的服务帐户附加到所需的角色

- members:
  - serviceAccount:dashboard@appspot.gserviceaccount.com
  role: roles/iam.serviceAccountTokenCreator

However if I look at that specific service account, it seems to show up empty which would fall in line with my error:但是,如果我查看该特定服务帐户,它似乎显示为空,这与我的错误一致:

gcloud iam service-accounts get-iam-policy dashboard@appspot.gserviceaccount.com
etag: ACAB
  • Why would those two commands & cloud console show differing information?为什么这两个命令和云控制台会显示不同的信息?

I assume that whatever is causing my service account permissions to show up blank is the culprit, but I'm not sure where to debug further.我认为导致我的服务帐户权限显示为空白的原因是罪魁祸首,但我不确定在哪里进一步调试。 It seems to me the only difference is one command is called with a project in it, but I initialize my firebase app with the project id, and have verified it with (firebase-admin).apps[0].options so it seems like a dead end.在我看来,唯一的区别是一个命令被调用,其中包含一个项目,但我使用项目 ID 初始化了我的 firebase 应用程序,并使用(firebase-admin).apps[0].options对其进行了验证,因此看起来像死胡同。

2 个解决方案

解决方案1
 9  2020-06-11 15:14:06

Firebase mentions about this error on its docs: Firebase 在其文档中提到了这个错误:

https://firebase.google.com/docs/auth/admin/create-custom-tokens#failed_to_determine_service_account https://firebase.google.com/docs/auth/admin/create-custom-tokens#failed_to_determine_service_account

You must initialize your app correctly through a JSON config file.您必须通过 JSON 配置文件正确初始化您的应用程序。

A simple fix would be:一个简单的解决方法是:

  1. Go to https://console.cloud.google.com/iam-admin/iam?project=PROJECT_NAME转到https://console.cloud.google.com/iam-admin/iam?project=PROJECT_NAME
  2. Edit your default service account.编辑您的默认服务帐户。
  3. Add the role Service Account Token Creator添加角色 Service Account Token Creator

In a few minutes your project will be able to create signed tokens.几分钟后,您的项目将能够创建签名令牌。

解决方案2
 7 已采纳  2019-08-20 00:25:45

The sign feature of a service account requires the iam.serviceAccounts.signBlob permission.服务帐户的sign功能需要iam.serviceAccounts.signBlob权限。 This permission is included in the Service Account Token role roles/iam.serviceAccountTokenCreator此权限包含在服务帐户令牌角色roles/iam.serviceAccountTokenCreator

You can assign this role at the "project" level or at the "service account" level.您可以在“项目”级别或“服务帐户”级别分配此角色。 This is why you see different results.这就是为什么你会看到不同的结果。 Assigning roles at the project level affects permissions for all service accounts.在项目级别分配角色会影响所有服务帐号的权限。 Assigning roles at the service account only affects that service account.在服务帐户上分配角色只会影响该服务帐户。

The key to your problem is that the caller does not have this role on service account dashboard@appspot.gserviceaccount.com .您的问题的关键是调用者在服务帐户dashboard@appspot.gserviceaccount.com上没有这个角色。 You have given the service account permission and NOT the caller.您已授予服务帐户权限,而不是调用方。 Look into your code for the service account that you used to setup the Firebase SDK.查看用于设置 Firebase SDK 的服务帐户的代码。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Terraform 抛出为服务帐户设置 IAM 策略时出错...需要权限 iam.serviceAccounts.setIamPolicy - Terraform throws Error setting IAM policy for service account ... Permission iam.serviceAccounts.setIamPolicy is required "403:对项目projects\/xyz执行此操作需要权限iam.serviceAccounts.create" - 403: Permission iam.serviceAccounts.create is required to perform this operation on project projects/xyz 在云运行上部署时,服务帐户的权限“iam.serviceaccounts.actAs”被拒绝 - Permission 'iam.serviceaccounts.actAs' denied on service account when deploying on cloud run 使用 Deployment Manager 进行 BQ 计划查询:“P4 服务帐户需要 iam.serviceAccounts.getAccessToken 权限” - BQ Schedule Queries with Deployment Manager: “P4 service account needs iam.serviceAccounts.getAccessToken permission” (Terraform,GCP)错误 403:需要权限 iam.serviceAccounts.setIamPolicy 才能对服务帐户项目/myproject-17 执行此操作 - (Terraform, GCP) Error 403: Permission iam.serviceAccounts.setIamPolicy is required to perform this operation on service account projects/myproject-17 (GCP,Terraform)创建服务帐户时出错:googleapi:错误 403:需要权限 iam.serviceAccounts.create 才能执行此操作 - (GCP, Terraform) Error creating service account: googleapi: Error 403: Permission iam.serviceAccounts.create is required to perform this operation on 需要 iam.serviceAccounts.getIamPolicy 才能对服务帐户执行此操作 - iam.serviceAccounts.getIamPolicy is required to perform this operation on service account 使用自定义服务帐号部署到 Cloud Run 失败并出现 iam.serviceaccounts.actAs 错误 - Deploying to Cloud Run with a custom service account failed with iam.serviceaccounts.actAs error 如何在服务帐户上启用“iam.serviceAccounts.actAs”权限? - How do you enable "iam.serviceAccounts.actAs" permissions on a sevice account? GCP 中“列出”IAM 权限的说明 - Clarification on "list" IAM permission in GCP
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM