问题描述
我正在尝试使用 file.getSignedUrl() 通过 Google Cloud Functions (Nodejs) 从 Firebase Storage 获取下载 URL.我在 Cloud Functions 控制台中收到此错误:
I'm trying to use file.getSignedUrl() to get the download URL from Firebase Storage via Google Cloud Functions (Nodejs). I'm getting this error in the Cloud Functions console:
{ SigningError: A Forbidden error was returned while attempting to retrieve an access token for the Compute Engine built-in service account. This may be because the Compute Engine instance does not have the correct permission scopes specified. Permission iam.serviceAccounts.signBlob is required to perform this operation on service account projects/myapp-cd94d/serviceAccounts/myapp-cd94d@appspot.gserviceaccount.com.
at SigningError (/user_code/node_modules/@google-cloud/storage/build/src/file.js:58:9)
at authClient.sign.then.catch.err (/user_code/node_modules/@google-cloud/storage/build/src/file.js:1019:22)
at process._tickDomainCallback (internal/process/next_tick.js:135:7) name: 'SigningError' }
我从 将 Firebase Admin SDK 添加到您的服务器
Error parsing triggers: Cannot find module 'serviceAccountKey.json'
const admin = require('firebase-admin');
var serviceAccount = require("./myapp-cd94d-firebase-adminsdk-1234x-sEcReT.json");
admin.initializeApp({
credential: admin.credential.cert(serviceAccount),
databaseURL: "https://myapp-cd94d.firebaseio.com"
});
...
const config = {
action: 'read',
expires: '03-17-2025'
};
file.getSignedUrl(config).then(function(data) {
const url = data[0];
console.log(url);
})
.catch(function(error) {
console.error(error);
})
我看到 Doug Stevenson 的回答 有不同的代码,但似乎与文档中的代码相同.
I saw that Doug Stevenson's answer has different code but it appears to be equivalent to the code in the documentation.
推荐答案
答案与 云身份和访问管理.首先,转到您的 Google Cloud Platform IAM &管理 页面.您会看到各种服务帐户.查找类似于 myapp-cd99d@appspot.gserviceaccount.com
的服务帐户.它应该在 Name
列中显示 App Engine 默认服务帐户
.(如果错误消息引用了不同的服务帐号,请找到该服务帐号.)
The answer has to do with Cloud Identity and Access Management. First, go to your Google Cloud Platform IAM & admin page. You'll see various service accounts. Look for the service account that looks like myapp-cd99d@appspot.gserviceaccount.com
. It should say App Engine default service account
in the Name
column. (If an error message referenced a different service account, find that service account.)
在 Role
列中,您可能会看到也可能不会看到一些角色.如果您收到 SigningError
消息,则 Role
列缺少角色 Service Account Token Creator.选中 myapp-cd99d@appspot.gserviceaccount.com
左侧的复选框以选择服务帐户,然后单击右侧的铅笔进行编辑.在下一个屏幕中,单击 +添加另一个角色
.向下滚动到 Service Accounts
,选择 Service Account Token Creator
,然后保存.现在您应该在 App Engine 默认服务帐户
的 Roles
列中看到 Service Account Token Creator
.现在您有权创建签名令牌.
In the Role
column, you may or not see some roles. If you're getting a SigningError
message, the Role
column is missing the role Service Account Token Creator. Check the checkbox to the left of myapp-cd99d@appspot.gserviceaccount.com
to select the service account, and then click the pencil to the right to edit it. In the next screen, click +ADD ANOTHER ROLE
. Scroll down to Service Accounts
, select Service Account Token Creator
, and save. Now you should see Service Account Token Creator
in the Roles
column for App Engine default service account
. Now you have permission to create signed tokens.
接下来,重复这些步骤并为 Storage Object Creator
添加一个角色.这将允许您运行 getSignedURL()
.
Next, repeat these steps and add a role for Storage Object Creator
. This will allow you to run getSignedURL()
.
您可以选择分配 Service Account Admin 和 Storage Admin,分别包括 Service Account Token Creator
和 Storage Object Creator
角色,以及其他角色.
You could save alternatively assign Service Account Admin and Storage Admin, which include the Service Account Token Creator
and Storage Object Creator
roles respectively, plus other roles.
现在,如果您收到的是 SingingError
消息,可能是因为您在唱 Bruce Springsteen 的Glory Days"时走调了.:-)
Now, if you instead got a SingingError
message, it might be because you're warbling Bruce Springsteen's "Glory Days" out of tune. :-)
这篇关于Firebase 的签名错误 getSignedUrl()的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!