使用不带组织或文件夹的服务帐户创建GCP和Firebase项目 [英] Create GCP and Firebase Project with Service Account Without Organization or Folder

问题描述

我需要使用Google Cloud Platform(GCP)服务帐户来通过Resource Manager REST API以编程方式创建项目.我想以无头方式创建Firebase项目.

I have a need to use a Google Cloud Platform (GCP) Service Account to create Projects programmatically through the Resource Manager REST API. I want to create Firebase projects in a headless manner.

我们当前的解决方案涉及模仿用户和浏览器来实现此目的，因为在没有组织(或文件夹，该文件夹必须位于组织下)的情况下，似乎无法通过GCP资源管理器REST API创建作为服务帐户的项目).

Our current solution involves imitating a user and browser to achieve this because it does not appear possible to create a Project as a Service Account through the GCP Resource Manager REST API without an Organization (or a Folder, which must be under an Organization).

当我尝试将项目创建为服务帐户时，收到403错误请求响应，内容为:服务帐户不能在没有父项的情况下创建项目".

When I attempt to create a Project as a Service Account, I receive a 403 Bad Request response saying, "Service accounts cannot create projects without a parent".

尝试使用空的父项创建一个作为服务帐户的项目会产生一个400 Bad Request响应，内容为请求包含无效的参数".

Attempting to create a Project as a Service Account with an empty Parent produces a 400 Bad Request response saying, "Request contains an invalid argument".

尝试使用父项类型为"organization"且没有ID的父项来创建项目作为服务帐户，则会产生400 Bad Request响应，提示父项id必须为数字".

Attempting to create a Project as a Service Account with a Parent whose Type is "organization" without an Id produces a 400 Bad Request response saying, "Parent id must be numeric".

由于我没有组织(调用organizations.list返回 {} )，并且我无法在没有域的情况下创建一个组织，因此我不确定如何继续这条道路.

Since I don't have an Organization (calls to organizations.list return {}) and I can't create one without a domain, I'm unsure how to proceed down this path.

推荐答案

问:如何在没有GCP组织的情况下使用服务帐户以编程方式创建Google Cloud Platform(GCP)项目?

Q: How do you create Google Cloud Platform (GCP) projects programmatically using a service account without having a GCP Organization?

A :您不能.

gmail.com的实际用户可以在无组织中创建项目，但是服务帐户必须指定组织或文件夹作为项目创建时的父.

An actual gmail.com user can create projects in No Organization, but a Service Account must specify an organization or a folder as the parent at project creation time.

您当前以用户身份进行操作的解决方案可能是唯一真正的解决方法.为此，您可以使用 OAuth2 ClientID 和 Secret 为具有 https://www的用户获取 offline 凭据.googleapis.com/auth/cloud-platform 范围.然后，您可以使用该 refresh_token 生成用于调用access_tokens /rest/"rel =" noreferrer> Cloud Resource Manager API 到创建项目.

Your current solution of doing it as a user is probably the only real workaround. For that, you would use an OAuth2 ClientID and Secret to obtain offline credentials for the user with the https://www.googleapis.com/auth/cloud-platform scope. Then, you can use that refresh_token to generate access_tokens that you use to call the Cloud Resource Manager API to create projects.

但是，我会为组织提出一个 strong案.如果您可以获取域，则可以使用该域来设置 Cloud Identity 和获取组织资源.然后，您可以在组织资源上授予服务帐户 项目创建者角色，它将能够以编程方式创建项目.

However, I would make a strong case for the Organization. If you can obtain a domain, you can use that domain to setup Cloud Identity and get an Organization resource. Then, you can grant the Service Account the Project Creator role on your Organization resource and it will be able to programmatically create projects.

这里的胜利是，您使用此服务帐户创建的所有项目都将在一个组织下，因此您可以轻松地授予权限并管理所有项目集中在一个地方.一个新成员加入您的团队，而不必一次授予他们对每个Firebase或GCP项目的访问权限，您可以通过向 Organization 组织添加一个权限来做到这一点.

The win here is that all the projects you create with this Service Account will be under a single Organization so you can easily grant permissions and manage access across all of the projects in a single place. A new person joins your team, and instead having to grant them access to each of your Firebase or GCP projects one at a time, you can do it by adding a single permission to the Organization resource.

更多:授予，更改和撤消对资源的访问权限

这篇关于使用不带组织或文件夹的服务帐户创建GCP和Firebase项目的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！