GCP API Gateway with an API Key 失败并显示 403 error stating....cloud.goog is not enabled for the project

Question

首先，让我向您展示一些我的 gcloud 设置。 当我运行gcloud config list时，这是我的 output：

[core]
account = <SERVICE ACCOUNT NAME>@<PROJECT NAME>.iam.gserviceaccount.com
disable_usage_reporting = True
project = <PROJECT NAME>

Your active configuration is: [default]

当我运行gcloud services list时，这是我的 output：

apigateway.googleapis.com            API Gateway API
artifactregistry.googleapis.com      Artifact Registry API
bigquery.googleapis.com              BigQuery API
bigquerymigration.googleapis.com     BigQuery Migration API
bigquerystorage.googleapis.com       BigQuery Storage API
cloudapis.googleapis.com             Google Cloud APIs
cloudbuild.googleapis.com            Cloud Build API
clouddebugger.googleapis.com         Cloud Debugger API
cloudfunctions.googleapis.com        Cloud Functions API
cloudresourcemanager.googleapis.com  Cloud Resource Manager API
cloudtrace.googleapis.com            Cloud Trace API
containerregistry.googleapis.com     Container Registry API
datastore.googleapis.com             Cloud Datastore API
eventarc.googleapis.com              Eventarc API
iam.googleapis.com                   Identity and Access Management (IAM) API
iamcredentials.googleapis.com        IAM Service Account Credentials API
logging.googleapis.com               Cloud Logging API
monitoring.googleapis.com            Cloud Monitoring API
oslogin.googleapis.com               Cloud OS Login API
pubsub.googleapis.com                Cloud Pub/Sub API
run.googleapis.com                   Cloud Run Admin API
secretmanager.googleapis.com         Secret Manager API
servicecontrol.googleapis.com        Service Control API
servicemanagement.googleapis.com     Service Management API
serviceusage.googleapis.com          Service Usage API
source.googleapis.com                Legacy Cloud Source Repositories API
sql-component.googleapis.com         Cloud SQL
storage-api.googleapis.com           Google Cloud Storage JSON API
storage-component.googleapis.com     Cloud Storage
storage.googleapis.com               Cloud Storage API
sts.googleapis.com                   Security Token Service API

我有一个带有以下配置文件的 API 网关：

swagger: '2.0'
info:
  title: <API TITLE>
  description: API Gateway First for Sphrn Testing
  version: 1.0.0
securityDefinitions:
  api_key_header:
    type: apiKey
    name: x-api-key
    in: header
schemes:
  - https
produces:
  - application/json
paths:
  /entrypoint1:
    post:
      summary: Simple echo service
      operationId: <OPERATION ID HERE>
      x-google-backend:
        address: https://<CLOUD FUNCTION NAME>-<STRING I DON'T RECOGNIZE>-uc.a.run.app
      security:
        - api_key_header: []
      responses:
        '200':
          description: OK

我使用此脚本从命令行调用 api：

curl --location --request POST 'https://<API CALLABLE ENDPOINT>.uc.gateway.dev/endpoint1' \
--header 'X-goog-api-key: <MY API KEY HERE>' \
--header 'Content-Type: application/json; charset=utf-8' \
--data-raw '{
    "name": "Test1"
}'

但它在我的终端中失败了：

{"code":403,"message":"PERMISSION_DENIED:API <SERVICE ACCOUNT NAME>-<STRING I DON'T RECOGNIZE>.apigateway.<PROJECT NAME>.cloud.goog is not enabled for the project."}

我的 API 密钥如下所示：

然后我进入了 API 网关端点的日志资源管理器，这是来自我的 403 失败 curl 命令的更详细的日志（当然经过清理以识别信息）：

{
    "httpRequest": {
        "latency": "0.040s",
        "protocol": "http",
        "remoteIp": "<MY IP ADDRESS>",
        "requestMethod": "POST",
        "requestSize": "1053",
        "requestUrl": "/endpoint1",
        "responseSize": "346",
        "status": 403
    },
    "insertId": "<LONG GUID LOOKING STRING>@a1",
    "jsonPayload": {
        "api_key": "<MY API KEY>",
        "api_key_state": "NOT ENABLED",
        "api_method": "1.<API ID>_<STRING I DON'T RECOGNIZE>_apigateway_<PROJECT NAME>_cloud_goog.<OPERATIONID FROM CONFIG YAML>",
        "api_name": "1.<API ID>_<STRING I DON'T RECOGNIZE>_apigateway_<PROJECT NAME>_cloud_goog",
        "api_version": "1.0.0",
        "error_cause": "API <API ID>_<STRING I DON'T RECOGNIZE>.apigateway.<PROJECT NAME>.cloud.goog is not enabled for the project.",
        "http_status_code": 403,
        "location": "us-central1",
        "log_message": "1.<API ID>_<STRING 1 I DON'T RECOGNIZE>_apigateway_<PROJECT NAME>_cloud_goog.<OPERATIONID FROM CONFIG YAML> is called",
        "producer_project_id": "<PROJECT NAME>",
        "response_code_detail": "service_control_check_error{SERVICE_NOT_ACTIVATED}",
        "service_agent": "ESPv2/2.40.0",
        "service_config_id": "<CONFIGURATION ID>",
        "timestamp": "<TIMESTAMP HERE AS DECIMAL>"
    },
    "logName": "projects/<PROJECT NAME>/logs/<API ID>_<STRING I DON'T RECOGNIZE>.apigateway.<PROJECT NAME>.cloud.goog%2Fendpoints_log",
    "receiveTimestamp": "<TIMESTAMP HERE AS STRING>",
    "resource": {
        "labels": {
            "location": "us-central1",
            "method": "1.<API ID>-<STRING I DON'T RECOGNIZE>_apigateway_<PROJECT NAME>_cloud_goog.<OPERATIONID FROM CONFIG YAML>",
            "project_id": "<PROJECT NAME>",
            "service": "<API ID>-<STRING I DON'T RECOGNIZE>.apigateway.<PROJECT NAME>.cloud.goog",
            "version": "1.0.0"
        },
        "type": "api"
    },
    "severity": "ERROR",
    "timestamp": "<TIMESTAMP HERE AS STRING>"
}

那么我如何让这个 curl 成功......？ 我假设这是一个权限问题，但我的服务帐户没有什么权限？

当我跑步时：

gcloud projects get-iam-policy <PROJECT ID> \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:<SERVICE ACCOUNT NAME>@<PROJECT NAME>.iam.gserviceaccount.com"

我得到这个 output：

ROLE
roles/cloudfunctions.serviceAgent
roles/serviceusage.serviceUsageViewer

Answer 1

我必须使用我创建 GCP 项目的实际“主”Gmail 帐户启用该服务，并通过gcloud命令启用服务<SERVICE ACCOUNT NAME>-....apigateway.<PROJECT NAME>.cloud.goog 。 然后我又遇到了 1 个问题，我没有在 API 密钥限制菜单中启用我的 openapi 配置 yaml 文件中列出的operationId 。

我假设阅读本文的任何人都已经通过gcloud auth login使用他们的服务帐户登录并使用gcloud auth activate-service-account <SERVICE ACCOUNT NAME>@<PROJECT NAME>.iam.gserviceaccount.com --key-file=/path/to/keyfile.json

启用服务修复
我使用gcloud config set account <MASTER GCLOUD ACCOUNT NAME>@gmail.com将我的 gcloud 帐户切换到我的“主”帐户，然后：

gcloud services enable <SERVICE ACCOUNT NAME>-....apigateway.<PROJECT NAME>.cloud.goog \
--project=<PROJECT ID (THE NUMBER NOT THE TEXT NAME>

这使得在 header 中使用我的 API 密钥调用 API 给我一个新错误{"message":"PERMISSION_DENIED: The API targeted by this request is invalid for the given API key.","code":403}

operationId API 限制菜单修复
我必须在 API 密钥限制菜单中启用我的 openapi 配置 yaml 文件中列出的operationId 。 之后它出现在 API Key Credentials 页面的“Selected APIs”部分：

进行此更改后，我的 curl 请求：

curl --location --request POST 'https://<API CALLABLE ENDPOINT>.uc.gateway.dev/endpoint1' \
--header 'X-goog-api-key: <MY API KEY HERE>' \
--header 'Content-Type: application/json; charset=utf-8' \
--data-raw '{
    "name": "Test1"
}'

工作完美！