What is the proper scope to use in IAMCredentialsClient for a GCP cloud function 2nd gen that requires authentication from a service account?
Question
I have this code to generate an access token for a GCP Cloud Function 2nd gen:
const {IAMCredentialsClient} = require('@google-cloud/iam-credentials');
// Creates a client
const client = new IAMCredentialsClient();
async function generateAccessToken() {
const [token] = await client.generateAccessToken({
name: `projects/-/serviceAccounts/<MY SERVICE ACCOUNT NAME>@<MY PROJECT NAME>.iam.gserviceaccount.com`,
scope: ["https://www.googleapis.com/auth/cloud-platform"],
});
console.info(token);
}
generateAccessToken();
But it gives me a 401 error when I use the token that it logs in Postman. I'm assuming that I'm not using the right scope/scopes.
What is the correct scope/scopes? Or am I making a different mistake? This code DOES produce a token, the token just doesn't run the function.
1 answers
solution1
0 2023-01-24 15:43:41
Try to create, update, or perform other administrative actions on a function, you must have a principal that has an appropriate role. Check Authenticating function to function calls for more information.
Create a service account with no permissions except to invoke your Cloud Function, deploy the JSON key for that account with your calling code, and set the GOOGLE_APPLICATION_CREDENTIALS.
If the code generates an access token for a GCP Cloud Function 2nd gen, If it supports Oauth-2, Try to use Google's Workload identity federation for more information.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.