cloudtasks.CreateTask失败:即使我的帐户具有该权限,也缺少IAM权限"cloudtasks.tasks.create" [英] cloudtasks.CreateTask fails: `lacks IAM permission "cloudtasks.tasks.create"` even though my account has that permission
问题描述
我正在遵循创建HTTP目标任务指南.当我运行下面发布的代码时,出现此错误:
I'm following the Creating HTTP Target tasks guide. When I run the code posted below I get this error:
cloudtasks.CreateTask: rpc error: code = PermissionDenied
desc = The principal (user or service account)
lacks IAM permission "cloudtasks.tasks.create" for the resource
"projects/my_project/locations/europe-west1/queues/my_queue"
(or the resource may not exist).
我已使用 gcloud auth登录my@email.com 登录.my@email.com拥有由我的自定义云任务角色设置的以下权限:
I have signed in with gcloud auth login my@email.com.
my@email.com has the following permissions set by my custom cloud task role:
- cloudtasks.locations.get
- cloudtasks.locations.list
- cloudtasks.queues.get
- cloudtasks.queues.list
- cloudtasks.tasks.create
- cloudtasks.tasks.delete
- cloudtasks.tasks.fullView
- cloudtasks.tasks.get
- cloudtasks.tasks.list
- cloudtasks.tasks.run
我不明白.我还要检查什么?
I don't get it. What more should I check?
main.go
// Run `PROJECT_ID=my_project QUEUE_ID=my_queue go run main.go`
package main
import (
"context"
"fmt"
"os"
cloudtasks "cloud.google.com/go/cloudtasks/apiv2"
taskspb "google.golang.org/genproto/googleapis/cloud/tasks/v2"
)
var (
locationID = "europe-west1"
url = "example.com/callback"
message = "testing"
)
func main() {
projectID := os.Getenv("PROJECT_ID")
queueID := os.Getenv("QUEUE_ID")
task, err := createHTTPTask(projectID, locationID, queueID, url, message)
if err != nil {
fmt.Println(err)
}
fmt.Println(task)
}
// createHTTPTask creates a new task with a HTTP target then adds it to a Queue.
func createHTTPTask(projectID, locationID, queueID, url, message string) (*taskspb.Task, error) {
// Create a new Cloud Tasks client instance.
// See https://godoc.org/cloud.google.com/go/cloudtasks/apiv2
ctx := context.Background()
client, err := cloudtasks.NewClient(ctx)
if err != nil {
return nil, fmt.Errorf("NewClient: %v", err)
}
// Build the Task queue path.
queuePath := fmt.Sprintf("projects/%s/locations/%s/queues/%s", projectID, locationID, queueID)
// Build the Task payload.
// https://godoc.org/google.golang.org/genproto/googleapis/cloud/tasks/v2#CreateTaskRequest
req := &taskspb.CreateTaskRequest{
Parent: queuePath,
Task: &taskspb.Task{
// https://godoc.org/google.golang.org/genproto/googleapis/cloud/tasks/v2#HttpRequest
MessageType: &taskspb.Task_HttpRequest{
HttpRequest: &taskspb.HttpRequest{
HttpMethod: taskspb.HttpMethod_POST,
Url: url,
},
},
},
}
// Add a payload message if one is present.
req.Task.GetHttpRequest().Body = []byte(message)
createdTask, err := client.CreateTask(ctx, req)
if err != nil {
return nil, fmt.Errorf("cloudtasks.CreateTask: %v", err)
}
return createdTask, nil
}
Cloud Tasks API 已启用.
推荐答案
在过去的几天里,我一直遇到相同的问题,并已解决.我用来创建API客户端和创建任务的库所使用的凭据与我预期的不同.
I've been having the same issue for the past couple of days and figured it out. The library I was using to create the API client and create a task was using different credentials than I expected.
对于那些使用应用程序默认凭据"或至少让客户端自动找到凭据的用户,请查看以下页面:
For those that are using "application default credentials", or at least letting the client find credentials automatically, take a look at this page: https://cloud.google.com/docs/authentication/production#finding_credentials_automatically
我已经创建了一个具有所有正确角色的服务帐户,并假设API客户端正在使用该服务帐户.原来我没有传递密钥文件,因此它使用的是应用程序默认凭据".对于我的用例,应用程序默认凭据"指的是App Engine默认服务帐户.当我向API客户端提供用于自定义服务帐户的密钥文件时,它就可以正常工作.
I had created a service account with all the right roles and was assuming the API client was using the service account. Turns out I wasn't passing in the key file and thus it was using the "application default credentials". For my use case, "application default credentials" referred to the App Engine default service account. When I supplied the API client with a key file for my custom service account, it worked.
这篇关于cloudtasks.CreateTask失败:即使我的帐户具有该权限,也缺少IAM权限"cloudtasks.tasks.create"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
