使用serviceAccountId时无法签署JWT [英] Unable to sign JWT when using serviceAccountId
问题描述
我们已经从服务帐户密钥切换为serviceAccountIds(或尝试进行了更改),以便我们可以清理所有拥有的胭脂密钥.推出更改后,我们看到:
We've switched from service account keys to serviceAccountIds (or tried to) so we can clean up all the rouge keys we have. After rolling out the change we're seeing:
需要iam.serviceAccounts.signBlob权限才能对服务帐户项目/-/serviceAccounts/xxxx@xxx.iam.gserviceaccount.com执行此操作.请参阅 https://firebase.google.com/docs/auth/admin/create-custom-tokens 了解有关如何使用和解决此功能的更多详细信息....}}
Permission iam.serviceAccounts.signBlob is required to perform this operation on service account projects/-/serviceAccounts/xxxx@xxx.iam.gserviceaccount.com.; Please refer to https://firebase.google.com/docs/auth/admin/create-custom-tokens for more details on how to use and troubleshoot this feature....}}
问题是,我们肯定已经应用了正确的角色(请参阅附件).我们甚至还尝试了一些更好的措施.
The thing is, we've definitely got the correct role applied (see attachment). We've even tried a few more for good measure.
谢谢!
推荐答案
在这种情况下,使用了两个服务帐户:
There are two service accounts being used in this case:
- 用于授权RPC调用的服务帐户(对于Cloud Functions,这是App Engine默认服务帐户).
- 您指定为
serviceAccountId
的服务帐户.
- The service account used to authorize RPC calls (in case of Cloud Functions, this is the App Engine default service account).
- The service account you have specified as the
serviceAccountId
.
似乎IAM仅在两个服务帐户都具有signBlob
权限时才起作用.我已经向GCP/IAM团队咨询过.同时,您可以立即尝试以下几种修复方法:
It seems IAM only works when BOTH service accounts have the signBlob
permission. I have inquired the GCP/IAM team about this. In the meantime, here are couple of fixes you can try immediately:
- 将令牌创建者角色授予App Engine默认服务 项目的帐户.
- 一旦您这样做,您就不必
完全指定一个
serviceAccountId
. SDK会自动发现相同的内容 在功能"中运行时的服务帐户ID.
- Grant the token creator role to the App Engine default service account of your project.
- Once you do that, you don't have to
specify a
serviceAccountId
at all. The SDK will auto-discover that same service account ID when running in Functions.
这篇关于使用serviceAccountId时无法签署JWT的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!