无法在Firebase云功能中创建自定义令牌，因为该服务帐户没有必要的权限 [英] Can't create a custom token in firebase cloud functions because the service account doesn't have the necessary permissions

问题描述

调用admin.auth().createCustomToken()时，出现以下错误:

When calling admin.auth().createCustomToken(), I get the following error:

需要iam.serviceAccounts.signBlob权限才能对服务帐户项目/-/serviceAccounts/kaleido-maastricht@appspot.gserviceaccount.com执行此操作.请参阅 https://firebase.google.com/docs/auth/admin/create-custom-tokens 了解有关如何使用和解决此功能的更多详细信息.

Permission iam.serviceAccounts.signBlob is required to perform this operation on service account projects/-/serviceAccounts/kaleido-maastricht@appspot.gserviceaccount.com.; Please refer to https://firebase.google.com/docs/auth/admin/create-custom-tokens for more details on how to use and troubleshoot this feature.

因此，我去看看云平台控制台的IAM部分中提到的服务帐户，它具有Editor角色，实际上，它没有signBlob权限.我可以更改该角色以解决此问题?我尝试根据编辑器创建自定义角色，但是无法将createBlob权限添加到自定义角色.

So I go look at the mentioned service account in the IAM section of the cloud platform console, and it has the Editor role, which, indeed, does not have the signBlob permission. What role could I change it to to fix this? I tried creating a custom role based on Editor, but the createBlob permission can't be added to custom roles.

推荐答案

链接到的文档页面的底部有一个疑难解答部分.您将被引导在此处阅读以获得帮助.它说:

The page of documentation you linked to has a section for troubleshooting at the bottom. You're directed to read there for help. It says:

如果用于签署令牌的服务帐户ID没有 iam.serviceAccounts.signBlob权限，您可能会收到一条错误消息 类似于以下内容:

If the service account ID used to sign tokens does not have the iam.serviceAccounts.signBlob permission, you may get an error message like the following:

Permission iam.serviceAccounts.signBlob is required to perform this
operation on service account
projects/-/serviceAccounts/{your-service-account-id}.

解决此问题的最简单方法是授予服务帐户令牌" 所创建的服务帐户的创建者" IAM角色:

The easiest way to resolve this is to grant the "Service Account Token Creator" IAM role to the service account in question:

1. 在Google Cloud Platform控制台中打开IAM和管理页面.
2. 选择您的项目，然后单击继续".
3. 单击与您要更新的服务帐户ID对应的编辑图标.
4. 单击添加其他角色".
5. 在搜索过滤器中输入服务帐户令牌创建者"，然后从结果中选择它.
6. 单击保存"以确认角色授予.

1. Open the IAM and admin page in the Google Cloud Platform Console.
2. Select your project and click "Continue".
3. Click the edit icon corresponding to the service account ID you wish to update.
4. Click on "Add Another Role".
5. Type "Service Account Token Creator" into the search filter, and select it from the results.
6. Click "Save" to confirm the role grant.

有关此过程的更多详细信息，请参阅IAM文档，或了解 如何使用gcloud命令行工具更新角色.

Refer to IAM documentation for more details on this process, or learn how to do update roles using the gcloud command-line tools.

这篇关于无法在Firebase云功能中创建自定义令牌，因为该服务帐户没有必要的权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！