1

我正在尝试通过 Golang 中的设备 API 获取或列出设备,但我一直在获取Error 403: The caller does not have permission, forbidden. 我做了以下步骤:

  1. 创建了一个服务帐户并以 .json 格式检索了服务帐户密钥。然后,我使用具有范围的服务帐户的数字 ID 启用了宽域委派:
  - "https://www.googleapis.com/auth/cloud-platform"
  - "https://www.googleapis.com/auth/cloud-identity"
  - "https://www.googleapis.com/auth/cloud-identity.devices"
  1. 为服务帐户添加了以下权限:
$ gcloud iam service-accounts get-iam-policy example@example.iam.gserviceaccount.com

bindings:
- members:
  - user:mysuperadminuser@example
  role: roles/iam.serviceAccountAdmin
- members:
  - serviceAccount:example@example.iam.gserviceaccount.com
  - mysuperadminuser@example
  role: roles/iam.serviceAccountTokenCreator
- members:
  - user:mysuperadminuser@example
  role: roles/iam.serviceAccountUser
- members:
  - serviceAccount:example@example.iam.gserviceaccount.com
  - user:mysuperadminuser@example
  role: roles/owner
  1. 然后我有以下代码来列出设备和组,模拟管理员用户(我自己):
func getDevicesAndGroups(ctx context.Context, credentialsFile string) {

    data, _ := ioutil.ReadFile(credentialsFile) // json file from the service account

    config, _ := google.JWTConfigFromJSON(data, "https://www.googleapis.com/auth/cloud-platform", "https://www.googleapis.com/auth/cloud-identity", "https://www.googleapis.com/auth/cloud-identity.devices")

    config.Subject = "mysuperadminuser@example"
    ts := config.TokenSource(ctx)
    httpClient := config.Client(ctx)

    ciService, err := cloudidentity.NewService(ctx, option.WithTokenSource(ts))

    ds := cloudidentity.NewDevicesService(ciService)

    resp, err := ds.List().Customer("customers/my_customer").PageSize(1).OrderBy("email").Do()
    log.Infof("NewDevicesService resp %#v", resp)
    if err != nil {
        log.Errorf("Unable to retrieve devices: %v", err)
    }

    gs := cloudidentity.NewGroupsService(ciService)
    respgs, err := gs.List().Parent("customers/my_customer").PageSize(1).Context(ctx).View("BASIC").Do()
    log.Infof("NewGroupsService %#v", respgs)
    if err != nil {
        log.Errorf("Unable to retrieve groups: %v", err)
    }

}

但是,列出设备的调用不断返回以下错误:

 Error 403: The caller does not have permission, forbidden

但是列出组的调用给了我一个200 response code,这意味着请求成功返回结果。

想知道是否有人可以指出我可能缺少的权限的正确方向?

4

0 回答 0