无法分配iam.serviceAccounts.signBlob权限 [英] Unable to assign iam.serviceAccounts.signBlob permission

问题描述

TLDR；我无法将IAM权限分配给服务帐户.

TLDR; I'm having trouble assigning an IAM permission to a service account.

我正在构建一个测试，该测试涉及使用Firebase Auth铸造自定义令牌.当我点击时:

I'm building a test that involves minting custom tokens with firebase Auth. When I hit:

  const token = await admin.auth().createCustomToken('test', {
    isAdmin: true,
  })

引发以下错误

Permission iam.serviceAccounts.signBlob is required to perform
this operation on service account 
projects/-/serviceAccounts/dashboard@appspot.gserviceaccount.com.;
Please refer to 
https://firebase.google.com/docs/auth/admin/create-custom-tokens
for more details on how to use and troubleshoot this feature

在

我可以在运行时验证权限设置是否正确 gcloud projects get-iam-policy项目我可以看到我的服务帐户已附加到所需角色

I can verify that my permissions seem to be correctly set, when I run gcloud projects get-iam-policy project I can see my service account attached to the desired role

- members:
  - serviceAccount:dashboard@appspot.gserviceaccount.com
  role: roles/iam.serviceAccountTokenCreator

但是，如果我查看该特定服务帐户，它似乎显示为空，这与我的错误相符:

However if I look at that specific service account, it seems to show up empty which would fall in line with my error:

gcloud iam service-accounts get-iam-policy dashboard@appspot.gserviceaccount.com
etag: ACAB

• 为什么这两个命令&云控制台显示不同的信息?

我认为是导致我的服务帐户权限显示空白的原因是罪魁祸首，但是我不确定在哪里进行进一步调试.在我看来，唯一的区别是一个命令在其中调用了一个项目，但是我使用项目ID初始化了我的firebase应用程序，并使用(firebase-admin).apps [0] .options ，所以看来这是一个死胡同.

I assume that whatever is causing my service account permissions to show up blank is the culprit, but I'm not sure where to debug further. It seems to me the only difference is one command is called with a project in it, but I initialize my firebase app with the project id, and have verified it with (firebase-admin).apps[0].options so it seems like a dead end.

推荐答案

服务帐户的 sign 功能需要 iam.serviceAccounts.signBlob 权限.此权限包含在服务帐户令牌角色 roles/iam.serviceAccountTokenCreator

The sign feature of a service account requires the iam.serviceAccounts.signBlob permission. This permission is included in the Service Account Token role roles/iam.serviceAccountTokenCreator

您可以在项目"级别或服务帐户"级别分配此角色.这就是为什么您看到不同的结果的原因.在项目级别分配角色会影响所有服务帐户的权限.在服务帐户上分配角色只会影响该服务帐户.

You can assign this role at the "project" level or at the "service account" level. This is why you see different results. Assigning roles at the project level affects permissions for all service accounts. Assigning roles at the service account only affects that service account.

问题的关键在于，呼叫者在服务帐户 dashboard@appspot.gserviceaccount.com 上没有此角色.您已授予服务帐户权限，而不是呼叫者权限.在您的代码中查找用于设置Firebase SDK的服务帐户.

The key to your problem is that the caller does not have this role on service account dashboard@appspot.gserviceaccount.com. You have given the service account permission and NOT the caller. Look into your code for the service account that you used to setup the Firebase SDK.

这篇关于无法分配iam.serviceAccounts.signBlob权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！