时间戳

首页 > 解决方案 > 如何解决此服务帐户创建错误?

authentication - 如何解决此服务帐户创建错误?

问题描述

我正在使用 google java sdk 使用 java sbt play framework 以编程方式为项目创建服务帐户

代码示例

但我收到此错误响应

com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
{
  "code" : 403,
  "errors" : [ {
    "domain" : "global",
    "message" : "Permission iam.serviceAccountKeys.create is required to perform this operation on service account projects/from-gcloud-249112/serviceAccounts/bhavaay-anand-095@from-gcloud-249112.iam.gserviceaccount.com.",
    "reason" : "forbidden"
  } ],
  "message" : "Permission iam.serviceAccountKeys.create is required to perform this operation on service account projects/from-gcloud-249112/serviceAccounts/bhavaay-anand-095@from-gcloud-249112.iam.gserviceaccount.com.",
  "status" : "PERMISSION_DENIED"
}

我做错了什么?我正在使用来自谷歌代码示例的确切代码。

public ServiceAccount createServiceAccount(String projectId, String name, String displayName) throws IOException {
    GoogleCredential credential = GoogleCredential.getApplicationDefault();
    if (credential.createScopedRequired()) {
        credential =
                credential.createScoped(Arrays.asList("https://www.googleapis.com/auth/cloud-platform"));
    }
    try {
         final Iam service = new Iam.Builder(
                GoogleNetHttpTransport.newTrustedTransport(),
                JacksonFactory.getDefaultInstance(),
                credential)
                .setApplicationName("service-accounts")
                .build();

        ServiceAccount serviceAccount = new ServiceAccount();
        serviceAccount.setDisplayName(displayName);
        CreateServiceAccountRequest request = new CreateServiceAccountRequest();
        request.setAccountId(name);
        request.setServiceAccount(serviceAccount);

        String serviceAccountEmail = "xxx";

        ServiceAccountKey key =
                service
                        .projects()
                        .serviceAccounts()
                        .keys()
                        .create(
                                "projects/" + projectId +"/serviceAccounts/" + serviceAccountEmail,
                                new CreateServiceAccountKeyRequest())
                        .execute();

        System.out.println("Created service account: " + serviceAccount);
        return serviceAccount;
    } catch(GeneralSecurityException e){
        System.err.println(e.getMessage());
        return null;
    }
}

标签: authenticationgoogle-cloud-platformservice-accountsgoogle-iam

解决方案

错误是您缺少执行该命令的权限“iam.serviceAccountKeys.create”。

我看到您正在加载默认凭据:

GoogleCredential credential = GoogleCredential.getApplicationDefault();

但是您之前是否设置了正确的凭据?

尝试做

gcloud auth login

或者

export GOOGLE_APPLICATION_CREDENTIALS="[PATH]"

在此处查看有关它的更多信息。

推荐阅读