委托人(用户或服务帐户)缺少IAM权限，即"cloudtasks.tasks.create".为资源 [英] The principal (user or service account) lacks IAM permission "cloudtasks.tasks.create" for the resource

问题描述

当我尝试将任务添加到队列时，抛出了以上错误消息.这是我的设置以及有关此问题的信息:

The above error message is being thrown when I try to add a task to a queue. Here is my setup and the info about this problem:

• 项目ID:my-project
• 服务帐户ID:my-service-account
• 任务队列名称:my-queue
• 任务队列位置:asia-northeast1(Cloud Task当前处于测试版的少数位置之一)

• Project ID: my-project
• Service Account ID: my-service-account
• Task Queue Name: my-queue
• Task Queue Location: asia-northeast1 (one of the few locations where Cloud Task is currently in beta)

此外，让我们确认以上所有条件均已存在并且正在运行.

Also, let's confirm that all the above exist and are running.

当我通过发布到https://cloudresourcemanager.googleapis.com/v1/projects/my-project:getIamPolicy

我收到类似于以下内容的回复:

I receive a response similar to:

{
    "status": 200,
    "data":
    {
        "version": 1,
        "etag": "BwV6nNWJg4E=",
        "bindings": [
        {
            "role": "roles/cloudtasks.admin",
            "members": [
                "serviceAccount:my-service-account@my-project.iam.gserviceaccount.com"
            ]
        },
        {
            "role": "roles/cloudtasks.enqueuer",
            "members": [
                "serviceAccount:my-service-account@my-project.iam.gserviceaccount.com"
            ]
        }]
    }
}

如您所见，my-service-account具有以下两个角色:

As you can see, my-service-account has the following 2 roles:

1. roles/cloudtasks.admin
2. roles/cloudtasks.enqueuer

这两个角色均具有cloudtasks.tasks.create权限.

Both of those roles have the cloudtasks.tasks.create permission baked in.

当我尝试使用以下命令将任务添加到云任务"时:

When I try to add a task to the Cloud Task using the following:

POST https://cloudtasks.googleapis.com/v2beta3/projects/my-project/locations/asia-northeast1/queues/my-queue/tasks +任务有效载荷

POST https://cloudtasks.googleapis.com/v2beta3/projects/my-project/locations/asia-northeast1/queues/my-queue/tasks + task payload

我收到以下错误消息:

{
    "status": 403,
    "data":
    {
        "error":
        {
            "code": 403,
            "message": "The principal (user or service account) lacks IAM permission \"cloudtasks.tasks.create\" for the resource \"projects/my-project/locations/asia-northeast1/queues/my-queue\" (or the resource may not exist).",
            "status": "PERMISSION_DENIED"
        }
    }
}

这真的使我感到困惑.

有人知道我在做什么错吗?

Is there anybody who knows what I might be doing wrong?

推荐答案

首先检查哪个服务帐户用于调用API.看起来任何使API调用的行为都使用了可能没有适当权限的默认服务帐户.

有时，如果您忽略必须在API调用中使用wchich服务帐户，则将使用默认帐户，并且您可能会自动获得已通过凭据认证，不允许您创建任务.

Sometimes if you omit wchich service account has to be user in API call then default account will be used and you may get authenticated with credentials that don't won't let you create tasks.

我建议使用 API密钥进行身份验证，以消除与以下内容的混淆正在验证哪个服务帐户.

I recommend using API keys to authenticate to rule out any confusion with which service account is being authenticated.

讨论(并解决了)非常类似的案例这里.

Very similar case was discussed (and solved) here.

这篇关于委托人(用户或服务帐户)缺少IAM权限，即"cloudtasks.tasks.create".为资源的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！