![](/img/trans.png)
[英]What's the equivalent IAM role for https://www.googleapis.com/auth/devstorage.read_write scope
[英]Anonymous caller does not have storage.objects.create access but my JWT has scope https://www.googleapis.com/auth/devstorage.full_control
我正在遵循服务器到服务器OAuth2流的文档 (创建自己的JWT而不是使用库)。
我已经创建了具有正确权限的服务帐户,可以上传到我的存储桶。 我顺利拿到由的access_token https://www.googleapis.com/oauth2/v4/token与范围https://www.googleapis.com/auth/devstorage.full_control在文档和使用我的服务帐户的电子邮件描述。
当我按照所述在我的POST请求上将access_token添加为标头时,出现以下错误消息:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "required",
"message": "Anonymous caller does not have storage.objects.create access to bucket/object.",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Anonymous caller does not have storage.objects.create access to bucket/object."
}
}
这是我的JWT结构:
$googleJson = json_decode(file_get_contents('/app/config/jwt/google.json'), true);
$time = time();
$headers = [
'alg' => 'RS256',
'typ' => 'JWT'
];
$payload = [
'iss' => $googleJson['client_email'],
'scope' => 'https://www.googleapis.com/auth/devstorage.full_control'
'aud' => 'https://www.googleapis.com/oauth2/v4/token',
'exp' => $time + 120,
'iat' => $time
];
$jwt = JWTService::create($headers, $payload, $googleJson['private_key']);
return http_build_query([
'grant_type' => 'urn:ietf:params:oauth:grant-type:jwt-bearer',
'assertion' => $jwt
]);
我在这里想念什么? 显然,这个access_token应该可以验证我的请求,但是将请求标记为Anonymous caller
的错误消息使我怀疑我根本没有经过验证。
这是我用来创建JWT的功能:
public static function create(array $headers, array $payload, string $privateKey): string
{
$headers = json_encode($headers);
$payload = json_encode($payload);
$base64UrlHeader = str_replace(['+', '/', '='], ['-', '_', ''], base64_encode($headers));
$base64UrlPayload = str_replace(['+', '/', '='], ['-', '_', ''], base64_encode($payload));
openssl_sign($base64UrlHeader . '.' . $base64UrlPayload, $signature, $privateKey, 'sha256');
$base64UrlSignature = str_replace(['+', '/', '='], ['-', '_', ''], base64_encode($signature));
return $base64UrlHeader . '.' . $base64UrlPayload . '.' . $base64UrlSignature;
}
更新:当我将访问令牌作为与&access_token=<access_token>
之类的查询参数一起使用时&access_token=<access_token>
它可以工作,因此由于某种原因,访问令牌不能用作标题,并且我不知道为什么
Update2:我将标头设置为键值数组,例如
[
Authorization => Bearer <token>
]
糟糕,抱歉
我将标题设置为键值数组,例如
[
Authorization => Bearer <token>
]
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.