Google API Node.js 图书馆 - 在项目级别向服务帐户授予角色
[英]Google API Node.js Library - Grant Role to service account at project level
问题描述
Goal
目标
Assign a role dialogflow.admin to a service account I created for a project using the Node.js Client library for Google APIs.将角色dialogflow.admin分配给我为使用 Google API 的 Node.js 客户端库为项目创建的服务帐户。
Issue问题
When I try to update my service accounts IAM Policy and add a role to the service account.当我尝试更新我的服务帐户 IAM 策略并向服务帐户添加角色时。 I get an error that the role is not supported for this resource type.我收到此资源类型不支持该角色的错误消息。
I am trying to give my service account the Dialogflow API Admin Role roles/dialogflow.admin我正在尝试为我的服务帐户提供Dialogflow API Admin Role roles/dialogflow.admin
The method in the Node.js client library I am using is iam.projects.serviceAccounts.setIamPolicy .我使用的 Node.js 客户端库中的方法是iam.projects.serviceAccounts.setIamPolicy 。
I have already managed to create the service account with this Node.js client library with a function shown here.我已经设法使用此处显示的 function 的 Node.js 客户端库创建服务帐户。
async function createServiceAccount(projectID, serviceAccountID){
const authClient = await auth.getClient();
var request = {
name: "projects/"+projectID,
resource: {
"accountId": serviceAccountID,
"serviceAccount": {
"description" : "Service Account for project: "+projectID+" for DialogFlow authentication with VA",
"displayName": "VA Dialogflow Service Account "+projectID
}
},
auth: authClient,
};
await iam.projects.serviceAccounts.create(request, function(err, response) {
if (err) {
console.error(err);
return;
}
console.log(JSON.stringify(response, null, 2));
});
}
after this function runs, and I am sure the service account is created, I run my function that is meant to set the roles of this service account. function 运行后,我确定服务帐户已创建,我运行我的function 来设置此服务帐户的角色。
async function setServiceAccountRoles(projectID, serviceAccountID){
const authClient = await auth.getClient();
var request = {
resource_: "projects/"+projectID+"/serviceAccounts/"+serviceAccountID,
resource: {
policy: {
bindings: [
{
// role: "projects/"+projectID+"roles/dialogflow.admin",
role: "roles/dialogflow.admin",
"members": [
"serviceAccount:"+serviceAccountID
]
}
],
version: 1
}
},
auth: authClient,
};
await iam.projects.serviceAccounts.setIamPolicy(request, function(err, response) {
if (err) {
console.error(err);
return;
}
console.log(JSON.stringify(response, null, 2));
});
}
Error错误
When I run this function I am give this error:当我运行此 function 时,出现此错误:
code: 400,
errors: [
{
message: 'Role roles/dialogflow.admin is not supported for this resource.',
domain: 'global',
reason: 'badRequest'
}
]
I have used these following resources to get this far: https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts/setIamPolicy我已经使用以下这些资源来实现这一目标: https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts/setIamPolicy
https://cloud.google.com/iam/docs/reference/rest/v1/Policy https://cloud.google.com/iam/docs/reference/rest/v1/Policy
https://cloud.google.com/iam/docs/granting-changing-revoking-access#granting_access_to_a_service_account_for_a_resource https://cloud.google.com/iam/docs/granting-changing-revoking-access#granting_access_to_a_service_account_for_a_resource
Alternative methods.替代方法。
I have tried changing the role to a project specific path like this:我试过将角色更改为这样的项目特定路径:
async function setServiceAccountRoles(projectID, serviceAccountID){
const authClient = await auth.getClient();
var request = {
resource_: "projects/"+projectID+"/serviceAccounts/"+serviceAccountID,
resource: {
policy: {
bindings: [
{
role: "projects/"+projectID+"roles/dialogflow.admin",
"members": [
"serviceAccount:"+serviceAccountID
]
}
],
version: 1
}
},
auth: authClient,
};
await iam.projects.serviceAccounts.setIamPolicy(request, function(err, response) {
if (err) {
console.error(err);
return;
}
console.log(JSON.stringify(response, null, 2));
});
}
however, with this I get the error: message: "Role (projects/va-9986d601/roles/dialogflow.admin) does not exist in the resource's hierarchy.",然而,有了这个我得到错误: message: "Role (projects/va-9986d601/roles/dialogflow.admin) does not exist in the resource's hierarchy.",
Is it possible that the only way to update my service account's roles and permission is through the console or gcloud commands?是否有可能更新我的服务帐户的角色和权限的唯一方法是通过控制台或 gcloud 命令? If so, is there any recommended ways of running said gcloud commands through the node.js client library or from a node application itself?如果是这样,是否有任何推荐的方法通过 node.js 客户端库或从节点应用程序本身运行所述 gcloud 命令?
1 个解决方案
解决方案1
2 已采纳 2022-02-08 18:43:45
You are trying to set an IAM policy on the service account .您正尝试在服务帐户上设置 IAM 策略。 That is used to grant other identities access to the service account itself.这用于授予其他身份访问服务帐户本身的权限。
You should modify the IAM binding for the project and not for the service account.您应该修改项目的 IAM 绑定,而不是服务帐户。
Use the getIamPolicy and setIamPolicy .使用getIamPolicy和setIamPolicy 。 Examples are included with the documentation.示例包含在文档中。
WARNING : be very careful writing code that modifies a project's bindings.警告:编写修改项目绑定的代码时要非常小心。 If you overwrite the bindings you can easily lock yourself out of your project.如果您覆盖绑定,您可以轻松地将自己锁定在您的项目之外。 Then you would need to open a paid support ticket with Google Cloud Support.然后,您需要向 Google Cloud 支持开具付费支持票。 Practice with a throw away project.用一个一次性项目练习。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.