本文介绍了Firebase 的签名错误 getSignedUrl()的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在尝试使用 file.getSignedUrl() 通过 Google Cloud Functions (Nodejs) 从 Firebase Storage 获取下载 URL.我在 Cloud Functions 控制台中收到此错误:

I'm trying to use file.getSignedUrl() to get the download URL from Firebase Storage via Google Cloud Functions (Nodejs). I'm getting this error in the Cloud Functions console:

{ SigningError: A Forbidden error was returned while attempting to retrieve an access token for the Compute Engine built-in service account. This may be because the Compute Engine instance does not have the correct permission scopes specified. Permission iam.serviceAccounts.signBlob is required to perform this operation on service account projects/myapp-cd94d/serviceAccounts/myapp-cd94d@appspot.gserviceaccount.com.
    at SigningError (/user_code/node_modules/@google-cloud/storage/build/src/file.js:58:9)
    at authClient.sign.then.catch.err (/user_code/node_modules/@google-cloud/storage/build/src/file.js:1019:22)
    at process._tickDomainCallback (internal/process/next_tick.js:135:7) name: 'SigningError' }

我从 将 Firebase Admin SDK 添加到您的服务器

I copied the code from the Add the Firebase Admin SDK to Your Server documentation. I have my serviceAccountKey.json in my functions folder. firebase deploy isn't given me the error

Error parsing triggers: Cannot find module 'serviceAccountKey.json'

所以我的 serviceAccountKey.json 必须有正确的路径.我什至生成了一个新的私钥,但没有解决问题.我有 firebase-admin 6.1.0firebase-tools 6.1.0.这是我的代码的相关部分:

so I must have the right path to my serviceAccountKey.json. I even generated a new private key, that didn't fix the problem. I have firebase-admin 6.1.0 and firebase-tools 6.1.0. Here's the relevant parts of my code:

const admin = require('firebase-admin');
var serviceAccount = require("./myapp-cd94d-firebase-adminsdk-1234x-sEcReT.json");

admin.initializeApp({
  credential: admin.credential.cert(serviceAccount),
  databaseURL: "https://myapp-cd94d.firebaseio.com"
});

...

const config = {
  action: 'read',
    expires: '03-17-2025'
  };

file.getSignedUrl(config).then(function(data) {
    const url = data[0];
    console.log(url);
  })
  .catch(function(error) {
    console.error(error);
  })

我看到 Doug Stevenson 的回答 有不同的代码,但似乎与文档中的代码相同.

I saw that Doug Stevenson's answer has different code but it appears to be equivalent to the code in the documentation.

推荐答案

答案与 云身份和访问管理.首先,转到您的 Google Cloud Platform IAM &管理 页面.您会看到各种服务帐户.查找类似于 myapp-cd99d@appspot.gserviceaccount.com 的服务帐户.它应该在 Name 列中显示 App Engine 默认服务帐户.(如果错误消息引用了不同的服务帐号,请找到该服务帐号.)

The answer has to do with Cloud Identity and Access Management. First, go to your Google Cloud Platform IAM & admin page. You'll see various service accounts. Look for the service account that looks like myapp-cd99d@appspot.gserviceaccount.com. It should say App Engine default service account in the Name column. (If an error message referenced a different service account, find that service account.)

Role 列中,您可能会看到也可能不会看到一些角色.如果您收到 SigningError 消息,则 Role 列缺少角色 Service Account Token Creator.选中 myapp-cd99d@appspot.gserviceaccount.com 左侧的复选框以选择服务帐户,然后单击右侧的铅笔进行编辑.在下一个屏幕中,单击 +添加另一个角色.向下滚动到 Service Accounts,选择 Service Account Token Creator,然后保存.现在您应该在 App Engine 默认服务帐户Roles 列中看到 Service Account Token Creator.现在您有权创建签名令牌.

In the Role column, you may or not see some roles. If you're getting a SigningError message, the Role column is missing the role Service Account Token Creator. Check the checkbox to the left of myapp-cd99d@appspot.gserviceaccount.com to select the service account, and then click the pencil to the right to edit it. In the next screen, click +ADD ANOTHER ROLE. Scroll down to Service Accounts, select Service Account Token Creator, and save. Now you should see Service Account Token Creator in the Roles column for App Engine default service account. Now you have permission to create signed tokens.

接下来,重复这些步骤并为 Storage Object Creator 添加一个角色.这将允许您运行 getSignedURL().

Next, repeat these steps and add a role for Storage Object Creator. This will allow you to run getSignedURL().

您可以选择分配 Service Account Admin 和 Storage Admin,分别包括 Service Account Token CreatorStorage Object Creator 角色,以及其他角色.

You could save alternatively assign Service Account Admin and Storage Admin, which include the Service Account Token Creator and Storage Object Creator roles respectively, plus other roles.

现在,如果您收到的是 SingingError 消息,可能是因为您在唱 Bruce Springsteen 的Glory Days"时走调了.:-)

Now, if you instead got a SingingError message, it might be because you're warbling Bruce Springsteen's "Glory Days" out of tune. :-)

这篇关于Firebase 的签名错误 getSignedUrl()的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-27 10:57
查看更多