问题描述

我们已从服务帐户密钥切换到 serviceAccountIds(或尝试这样做)，以便我们可以清理我们拥有的所有 rouge 密钥.推出更改后，我们看到:

在服务账户项目/-/serviceAccounts/[email protected]上执行此操作需要权限iam.serviceAccounts.signBlob.；请参考

在这种情况下使用了两个服务帐户:

1. 用于授权 RPC 调用的服务帐户(对于 Cloud Functions，这是 App Engine 默认服务帐户).
2. 您指定为 serviceAccountId 的服务帐户.

似乎 IAM 仅在两个服务帐户都具有 signBlob 权限时才有效.我已就此向 GCP/IAM 团队咨询.与此同时，您可以立即尝试以下几个修复:

• 向 App Engine 默认服务授予令牌创建者角色您项目的帐户.
• 一旦你这样做，你就不必完全指定一个 serviceAccountId.SDK 将自动发现相同的在 Functions 中运行时的服务帐户 ID.

We've switched from service account keys to serviceAccountIds (or tried to) so we can clean up all the rouge keys we have. After rolling out the change we're seeing:

Permission iam.serviceAccounts.signBlob is required to perform this operation on service account projects/-/serviceAccounts/[email protected].; Please refer to https://firebase.google.com/docs/auth/admin/create-custom-tokens for more details on how to use and troubleshoot this feature....}}

The thing is, we've definitely got the correct role applied (see attachment). We've even tried a few more for good measure.

Thanks!

There are two service accounts being used in this case:

1. The service account used to authorize RPC calls (in case of Cloud Functions, this is the App Engine default service account).
2. The service account you have specified as the serviceAccountId.

It seems IAM only works when BOTH service accounts have the signBlob permission. I have inquired the GCP/IAM team about this. In the meantime, here are couple of fixes you can try immediately:

• Grant the token creator role to the App Engine default serviceaccount of your project.
• Once you do that, you don't have tospecify a serviceAccountId at all. The SDK will auto-discover that sameservice account ID when running in Functions.

这篇关于使用 serviceAccountId 时无法签署 JWT的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！