Firebase的SigningError getSignedUrl() [英] SigningError with Firebase getSignedUrl()
问题描述
我正在尝试使用 file.getSignedUrl( ),以通过Google Cloud Functions(Nodejs)从Firebase存储获取下载URL.我在Cloud Functions控制台中收到此错误:
I'm trying to use file.getSignedUrl() to get the download URL from Firebase Storage via Google Cloud Functions (Nodejs). I'm getting this error in the Cloud Functions console:
{ SigningError: A Forbidden error was returned while attempting to retrieve an access token for the Compute Engine built-in service account. This may be because the Compute Engine instance does not have the correct permission scopes specified. Permission iam.serviceAccounts.signBlob is required to perform this operation on service account projects/myapp-cd94d/serviceAccounts/myapp-cd94d@appspot.gserviceaccount.com.
at SigningError (/user_code/node_modules/@google-cloud/storage/build/src/file.js:58:9)
at authClient.sign.then.catch.err (/user_code/node_modules/@google-cloud/storage/build/src/file.js:1019:22)
at process._tickDomainCallback (internal/process/next_tick.js:135:7) name: 'SigningError' }
我从将Firebase管理SDK添加到服务器中复制了代码文档.我的functions文件夹中有我的serviceAccountKey.json. firebase deploy没有提示我错误
I copied the code from the Add the Firebase Admin SDK to Your Server documentation. I have my serviceAccountKey.json in my functions folder. firebase deploy isn't given me the error
Error parsing triggers: Cannot find module 'serviceAccountKey.json'
,因此我必须拥有通往serviceAccountKey.json的正确路径.我什至生成了一个新的私钥,但并没有解决问题.我有firebase-admin 6.1.0和firebase-tools 6.1.0.这是我的代码的相关部分:
so I must have the right path to my serviceAccountKey.json. I even generated a new private key, that didn't fix the problem. I have firebase-admin 6.1.0 and firebase-tools 6.1.0. Here's the relevant parts of my code:
const admin = require('firebase-admin');
var serviceAccount = require("./myapp-cd94d-firebase-adminsdk-1234x-sEcReT.json");
admin.initializeApp({
credential: admin.credential.cert(serviceAccount),
databaseURL: "https://myapp-cd94d.firebaseio.com"
});
...
const config = {
action: 'read',
expires: '03-17-2025'
};
file.getSignedUrl(config).then(function(data) {
const url = data[0];
console.log(url);
})
.catch(function(error) {
console.error(error);
})
I saw that Doug Stevenson's answer has different code but it appears to be equivalent to the code in the documentation.
推荐答案
答案与云身份和访问管理.首先,转到您的Google Cloud Platform IAM&管理员页面.您会看到各种服务帐户.查找看起来像myapp-cd99d@appspot.gserviceaccount.com的服务帐户.在Name列中应显示App Engine default service account. (如果错误消息引用了另一个服务帐户,请找到该服务帐户.)
The answer has to do with Cloud Identity and Access Management. First, go to your Google Cloud Platform IAM & admin page. You'll see various service accounts. Look for the service account that looks like myapp-cd99d@appspot.gserviceaccount.com. It should say App Engine default service account in the Name column. (If an error message referenced a different service account, find that service account.)
在Role列中,您可能看不到某些角色.如果收到SigningError消息,则Role列缺少角色服务帐户令牌创建者.选中myapp-cd99d@appspot.gserviceaccount.com左侧的复选框以选择服务帐户,然后单击右侧的铅笔进行编辑.在下一个屏幕中,单击+ADD ANOTHER ROLE.向下滚动至Service Accounts,选择Service Account Token Creator,然后保存.现在,您应该在App Engine default service account的Roles列中看到Service Account Token Creator.现在,您拥有创建签名令牌的权限.
In the Role column, you may or not see some roles. If you're getting a SigningError message, the Role column is missing the role Service Account Token Creator. Check the checkbox to the left of myapp-cd99d@appspot.gserviceaccount.com to select the service account, and then click the pencil to the right to edit it. In the next screen, click +ADD ANOTHER ROLE. Scroll down to Service Accounts, select Service Account Token Creator, and save. Now you should see Service Account Token Creator in the Roles column for App Engine default service account. Now you have permission to create signed tokens.
接下来,重复这些步骤并为Storage Object Creator添加角色.这将允许您运行getSignedURL().
Next, repeat these steps and add a role for Storage Object Creator. This will allow you to run getSignedURL().
您可以保存或分配服务帐户管理员和存储管理员,分别包含Service Account Token Creator和Storage Object Creator角色以及其他角色.
You could save alternatively assign Service Account Admin and Storage Admin, which include the Service Account Token Creator and Storage Object Creator roles respectively, plus other roles.
现在,如果您收到一条SingingError消息,则可能是因为您使Bruce Springsteen的荣耀日"不合时宜. :-)
Now, if you instead got a SingingError message, it might be because you're warbling Bruce Springsteen's "Glory Days" out of tune. :-)
这篇关于Firebase的SigningError getSignedUrl()的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
