无法在 firebase 云函数中创建自定义令牌,因为服务帐户没有必要的权限
Can't create a custom token in firebase cloud functions because the service account doesn't have the necessary permissions
调用 admin.auth().createCustomToken() 时,出现以下错误:
Permission iam.serviceAccounts.signBlob is required to perform this operation on service account projects/-/serviceAccounts/kaleido-maastricht@appspot.gserviceaccount.com.; Please refer to https://firebase.google.com/docs/auth/admin/create-custom-tokens for more details on how to use and troubleshoot this feature.
于是我去云平台控制台IAM部分查看提到的服务账号,有Editor角色,确实没有signBlob权限。我可以将其更改为什么角色来解决此问题?我尝试创建一个基于编辑器的自定义角色,但是createBlob权限无法添加到自定义角色。
您链接到的文档页面底部有一个故障排除部分。您被定向到 read there 寻求帮助。它说:
If the service account ID used to sign tokens does not have the
iam.serviceAccounts.signBlob permission, you may get an error message
like the following:
Permission iam.serviceAccounts.signBlob is required to perform this
operation on service account
projects/-/serviceAccounts/{your-service-account-id}.
The easiest way to resolve this is to grant the "Service Account Token
Creator" IAM role to the service account in question:
- Open the IAM and admin page in the Google Cloud Platform Console.
- Select your project and click "Continue".
- Click the edit icon corresponding to the service account ID you wish to update.
- Click on "Add Another Role".
- Type "Service Account Token Creator" into the search filter, and select it from the results.
- Click "Save" to confirm the role grant.
Refer to IAM documentation for more details on this process, or learn
how to do update roles using the gcloud command-line tools.
我有同样的错误,并且可以看到服务帐户在 GCP IAM 控制台中具有 "Service Account Token Creator" 角色 UI。
是什么为我解决了这个问题:
确保您使用的是正确的 Firebase 项目:
firebase use your-project
确保您使用的是 "App Engine default service account",例如your-project@appspot.gserviceaccount.com.
通过 gcloud cli 将角色授予该服务帐户:
gcloud projects add-iam-policy-binding your-project --member serviceAccount:your-project@appspot.gserviceaccount.com --role roles/iam.serviceAccountTokenCreator
部署 Firebase:
firebase deploy
在那之后它对我有用(但在没有部署的情况下通过 UI 设置它之后就不行了)。
我认为这应该显示服务帐户上的角色:
gcloud iam service-accounts get-iam-policy your-project@appspot.gserviceaccount.com --project your-project
但对我来说仍然给出 etag: ACAB,即使我可以在上一个命令的输出中看到该角色,并且可以看到该角色有效,因为它现在能够创建自定义令牌。
按照以下步骤转到控制台访问此 link https://console.cloud.google.com/iam-admin/iam?project=[project-id]:
- 单击编辑图标 [your-project]@appspot.gserviceaccount.com
- 单击添加另一个角色
- 在搜索过滤器中输入Service Account Token Creator,然后select从结果中
- 点击保存确认
调用 admin.auth().createCustomToken() 时,出现以下错误:
Permission iam.serviceAccounts.signBlob is required to perform this operation on service account projects/-/serviceAccounts/kaleido-maastricht@appspot.gserviceaccount.com.; Please refer to https://firebase.google.com/docs/auth/admin/create-custom-tokens for more details on how to use and troubleshoot this feature.
于是我去云平台控制台IAM部分查看提到的服务账号,有Editor角色,确实没有signBlob权限。我可以将其更改为什么角色来解决此问题?我尝试创建一个基于编辑器的自定义角色,但是createBlob权限无法添加到自定义角色。
您链接到的文档页面底部有一个故障排除部分。您被定向到 read there 寻求帮助。它说:
If the service account ID used to sign tokens does not have the iam.serviceAccounts.signBlob permission, you may get an error message like the following:
Permission iam.serviceAccounts.signBlob is required to perform this operation on service account projects/-/serviceAccounts/{your-service-account-id}.The easiest way to resolve this is to grant the "Service Account Token Creator" IAM role to the service account in question:
- Open the IAM and admin page in the Google Cloud Platform Console.
- Select your project and click "Continue".
- Click the edit icon corresponding to the service account ID you wish to update.
- Click on "Add Another Role".
- Type "Service Account Token Creator" into the search filter, and select it from the results.
- Click "Save" to confirm the role grant.
Refer to IAM documentation for more details on this process, or learn how to do update roles using the gcloud command-line tools.
我有同样的错误,并且可以看到服务帐户在 GCP IAM 控制台中具有 "Service Account Token Creator" 角色 UI。
是什么为我解决了这个问题:
确保您使用的是正确的 Firebase 项目:
firebase use your-project
确保您使用的是 "App Engine default service account",例如your-project@appspot.gserviceaccount.com.
通过 gcloud cli 将角色授予该服务帐户:
gcloud projects add-iam-policy-binding your-project --member serviceAccount:your-project@appspot.gserviceaccount.com --role roles/iam.serviceAccountTokenCreator
部署 Firebase:
firebase deploy
在那之后它对我有用(但在没有部署的情况下通过 UI 设置它之后就不行了)。
我认为这应该显示服务帐户上的角色:
gcloud iam service-accounts get-iam-policy your-project@appspot.gserviceaccount.com --project your-project
但对我来说仍然给出 etag: ACAB,即使我可以在上一个命令的输出中看到该角色,并且可以看到该角色有效,因为它现在能够创建自定义令牌。
按照以下步骤转到控制台访问此 link https://console.cloud.google.com/iam-admin/iam?project=[project-id]:
- 单击编辑图标 [your-project]@appspot.gserviceaccount.com
- 单击添加另一个角色
- 在搜索过滤器中输入Service Account Token Creator,然后select从结果中
- 点击保存确认