gmail.users.watch无法使用DwD服务帐户将测试消息发送到PubSub [英] gmail.users.watch fails to send test message to PubSub with a DwD service account

问题描述

我正在尝试设置gmail.users.watch，但收到403错误:

I'm trying to setup gmail.users.watch but am getting a 403 error:

Error sending test message to Cloud PubSub projects/project-id/topics/topic-id : User not authorized to perform this action.

正在使用GOOGLE_APPLICATION_CREDENTIALS方法和下载的凭据json文件进行身份验证.

Authentication is working using the GOOGLE_APPLICATION_CREDENTIALS approach and the downloaded credentials json file.

以下代码可以正常工作，这支持了我的身份验证通常可以正常工作的假设:

The following code works correctly which supports my hypothesis that the authentication is generally working:

const pubsub = PubSub();
const topic = pubsub.topic('topic-id');
const subscription = pubsub.subscription('subscription-id');
topic.exists()
  .then(data => {
    console.log(data);
    return subscription.exists();
  })
  .then(data => {
    console.log(data);
    return subscription.pull()
  })
  .then(data => {
    data[1].receivedMessages.forEach(d => console.log(d));
    return topic.publish('Hello, world!');
  })
  .then(data => {
    console.log(data)
  })
  .catch(err => console.log(err));

该代码没有错误.但是，以下代码将引发上述403错误:

No errors from that code. However the following code throws the 403 error described above:

const authParams = {
  subject: userId,
  scopes: [
    'https://mail.google.com/',
    'https://www.googleapis.com/auth/pubsub'
  ]
};

gauth.getAuth(authParams)
  .then(authClient => {
    const params = {
      auth: authClient,
      userId: 'me',
      resource: {
        topicName: <topic-id>
      }
    };

    return new Promise((resolve, reject) => {
      gmail.users.watch(params, (err, response) => {
        if (err) {
          console.log(err);
          reject(err);
          return;
        }
        resolve(response);
      });
    });
  })
  .then(response => {
    console.log(response);
  });

gauth.getAuth是围绕getApplicationDefault 适用于Node.js的Google身份验证库.

G Suite域安全性客户端访问已根据所需范围配置了服务帐户的客户端ID: https://www.googleapis.com/auth/pubsub，https://mail.google.com/

The G Suite domain security Client Access is configured with the Client ID of the service account against the scopes needed: https://www.googleapis.com/auth/pubsub, https://mail.google.com/

由于本机云发布/订阅服务器的工作原理，我认为该服务帐户具有在控制台上配置的所有正确权限，因此对于gmail调用失败的原因我有些茫然.

As the native cloud pub/sub stuff works I think the service account has all of the correct permissions configured on the console so I'm a bit at a loss as to why the gmail call is failing.

更新: 服务帐户在Google Cloud Console上具有以下权限:

UPDATE: Service Account has the following permissions on Google Cloud Console:

项目:(是否需要更多的gmail内容?)

Project: (Does it need more than this for the gmail stuff?)

• 服务帐户执行者
• PubSub管理员

主题:

• 所有者

订阅:

• 所有者

拨打gmail电话时，服务帐户委派给主题".我已将该用户userId的权限添加到了Google Cloud Console:

When making the gmail call the service account is delegating to a 'subject'. I've added permissions for that subject userId to the Google Cloud Console:

项目:

• 所有者

主题:

• 所有者

订阅:

• 所有者

推荐答案

您需要添加权限，以便可以将消息发布到您的订阅中.

You need to add permissions so messages can be publish to your subscription.

转到Google Cloud控制台，选择订阅，然后选择权限". 在添加成员"部分中，键入 allAuthenticatedUsers ，选择 Pub/Sub发布者角色，然后单击添加

Go to Google Cloud console, select the subscription and then Permissions. In the Add members section, type allAuthenticatedUsers, select the Pub/Sub publisher role and click Add

有帮助吗?

更新(2017/05/09):

Update (2017/05/09):

我正在编辑我的答案，以便更准确地了解所需内容.

I'm editing my answer in order to be more accurate about what's needed.

根据 Gmail API文档(请参见 授予对您的主题的发布权限 部分):

According to the Gmail API documentation (see the Grant publish rights on your topic section):

• 需要在主题级别设置权限
• 成员是: serviceAccount:gmail-api-push@system.gserviceaccount.com
• 角色是: Pub/Sub Publisher

这篇关于gmail.users.watch无法使用DwD服务帐户将测试消息发送到PubSub的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！