gmail.users.watch无法使用DwD服务帐户将测试消息发送到PubSub [英] gmail.users.watch fails to send test message to PubSub with a DwD service account
问题描述
我正在尝试设置gmail.users.watch,但收到403错误:
I'm trying to setup gmail.users.watch but am getting a 403 error:
Error sending test message to Cloud PubSub projects/project-id/topics/topic-id : User not authorized to perform this action.
正在使用GOOGLE_APPLICATION_CREDENTIALS
方法和下载的凭据json文件进行身份验证.
Authentication is working using the GOOGLE_APPLICATION_CREDENTIALS
approach and the downloaded credentials json file.
以下代码可以正常工作,这支持了我的身份验证通常可以正常工作的假设:
The following code works correctly which supports my hypothesis that the authentication is generally working:
const pubsub = PubSub();
const topic = pubsub.topic('topic-id');
const subscription = pubsub.subscription('subscription-id');
topic.exists()
.then(data => {
console.log(data);
return subscription.exists();
})
.then(data => {
console.log(data);
return subscription.pull()
})
.then(data => {
data[1].receivedMessages.forEach(d => console.log(d));
return topic.publish('Hello, world!');
})
.then(data => {
console.log(data)
})
.catch(err => console.log(err));
该代码没有错误.但是,以下代码将引发上述403错误:
No errors from that code. However the following code throws the 403 error described above:
const authParams = {
subject: userId,
scopes: [
'https://mail.google.com/',
'https://www.googleapis.com/auth/pubsub'
]
};
gauth.getAuth(authParams)
.then(authClient => {
const params = {
auth: authClient,
userId: 'me',
resource: {
topicName: <topic-id>
}
};
return new Promise((resolve, reject) => {
gmail.users.watch(params, (err, response) => {
if (err) {
console.log(err);
reject(err);
return;
}
resolve(response);
});
});
})
.then(response => {
console.log(response);
});
gauth.getAuth
是围绕getApplicationDefault
适用于Node.js的Google身份验证库.
G Suite域安全性客户端访问已根据所需范围配置了服务帐户的客户端ID:
https://www.googleapis.com/auth/pubsub
,https://mail.google.com/
The G Suite domain security Client Access is configured with the Client ID of the service account against the scopes needed:
https://www.googleapis.com/auth/pubsub
, https://mail.google.com/
由于本机云发布/订阅服务器的工作原理,我认为该服务帐户具有在控制台上配置的所有正确权限,因此对于gmail调用失败的原因我有些茫然.
As the native cloud pub/sub stuff works I think the service account has all of the correct permissions configured on the console so I'm a bit at a loss as to why the gmail call is failing.
更新: 服务帐户在Google Cloud Console上具有以下权限:
UPDATE: Service Account has the following permissions on Google Cloud Console:
项目:(是否需要更多的gmail内容?)
Project: (Does it need more than this for the gmail stuff?)
- 服务帐户执行者
- PubSub管理员
主题:
- 所有者
订阅:
- 所有者
拨打gmail电话时,服务帐户委派给主题".我已将该用户userId的权限添加到了Google Cloud Console:
When making the gmail call the service account is delegating to a 'subject'. I've added permissions for that subject userId to the Google Cloud Console:
项目:
- 所有者
主题:
- 所有者
订阅:
- 所有者
推荐答案
您需要添加权限,以便可以将消息发布到您的订阅中.
You need to add permissions so messages can be publish to your subscription.
转到Google Cloud控制台,选择订阅,然后选择权限". 在添加成员"部分中,键入 allAuthenticatedUsers ,选择 Pub/Sub发布者角色,然后单击添加
Go to Google Cloud console, select the subscription and then Permissions. In the Add members section, type allAuthenticatedUsers, select the Pub/Sub publisher role and click Add
有帮助吗?
更新(2017/05/09):
Update (2017/05/09):
我正在编辑我的答案,以便更准确地了解所需内容.
I'm editing my answer in order to be more accurate about what's needed.
根据 Gmail API文档(请参见 授予对您的主题的发布权限 部分):
According to the Gmail API documentation (see the Grant publish rights on your topic section):
- 需要在主题级别设置权限
- 成员是: serviceAccount:gmail-api-push@system.gserviceaccount.com
- 角色是: Pub/Sub Publisher
这篇关于gmail.users.watch无法使用DwD服务帐户将测试消息发送到PubSub的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!