我能够使用.Net中的IamService客户端API库在Google云中创建服务帐户。现在,我想为此服务帐户(roles / pubsub.publisher)分配一个'pubsub'角色。我的问题是出现以下错误:
Response Message: Google.Apis.Requests.RequestError
The caller does not have permission [403]
Errors[Message[The caller does not have permission] Location [-] Reason[forbidden] Domain[global]
我正在使用的资源名称如下:projects / {projectId} / serviceAccounts / {UniqueId}
下面是代码
var policyRequestBody = InitSetIamPolicyBody(responsePOSTUser);
var cloudResourceMgrService = InitCloudResourceManagerService(credServiceAccount, responsePOSTUser);
var resp = cloudResourceMgrService.Projects.SetIamPolicy(policyRequestBody, nameKeyParamPub).Execute();
//InitSetIamPolicyBody method
private Google.Apis.CloudResourceManager.v1beta1.Data.SetIamPolicyRequest InitSetIamPolicyBody(ServiceAccount serviceAccount)
{
var iamPolicyRequest = new Google.Apis.CloudResourceManager.v1beta1.Data.SetIamPolicyRequest();
iamPolicyRequest.Policy = new Google.Apis.CloudResourceManager.v1beta1.Data.Policy();
iamPolicyRequest.Policy.Bindings = new List<Google.Apis.CloudResourceManager.v1beta1.Data.Binding>();
iamPolicyRequest.UpdateMask = string.Empty;
var binding = new Google.Apis.CloudResourceManager.v1beta1.Data.Binding();
binding.Role = rolePubSub; //maybe add to config later
binding.Members = new List<string>();
binding.Members.Add("serviceAccount:" + serviceAccount.Email);
iamPolicyRequest.Policy.Bindings.Add(binding);
return iamPolicyRequest;
}
//GetCredentials method
private static string GetServiceAccountDetails(string path)
{
UserCredential credential;
using (var stream = new FileStream(filepath, FileMode.Open, FileAccess.Read))
{
string credPath = System.Environment.GetFolderPath(System.Environment.SpecialFolder.Personal);
credPath = Path.Combine(credPath, ".credentials/drive-dotnet-quickstart.json");
credential = GoogleWebAuthorizationBroker.AuthorizeAsync(
GoogleClientSecrets.Load(stream).Secrets,
Scopes,
"user",
CancellationToken.None,
new FileDataStore(credPath, true)).Result;
}
return credential;
}
任何帮助将不胜感激