我正在尝试通过 Golang 中的设备 API 获取或列出设备,但我一直在获取Error 403: The caller does not have permission, forbidden
. 我做了以下步骤:
- 创建了一个服务帐户并以 .json 格式检索了服务帐户密钥。然后,我使用具有范围的服务帐户的数字 ID 启用了宽域委派:
- "https://www.googleapis.com/auth/cloud-platform"
- "https://www.googleapis.com/auth/cloud-identity"
- "https://www.googleapis.com/auth/cloud-identity.devices"
- 为服务帐户添加了以下权限:
$ gcloud iam service-accounts get-iam-policy example@example.iam.gserviceaccount.com
bindings:
- members:
- user:mysuperadminuser@example
role: roles/iam.serviceAccountAdmin
- members:
- serviceAccount:example@example.iam.gserviceaccount.com
- mysuperadminuser@example
role: roles/iam.serviceAccountTokenCreator
- members:
- user:mysuperadminuser@example
role: roles/iam.serviceAccountUser
- members:
- serviceAccount:example@example.iam.gserviceaccount.com
- user:mysuperadminuser@example
role: roles/owner
- 然后我有以下代码来列出设备和组,模拟管理员用户(我自己):
func getDevicesAndGroups(ctx context.Context, credentialsFile string) {
data, _ := ioutil.ReadFile(credentialsFile) // json file from the service account
config, _ := google.JWTConfigFromJSON(data, "https://www.googleapis.com/auth/cloud-platform", "https://www.googleapis.com/auth/cloud-identity", "https://www.googleapis.com/auth/cloud-identity.devices")
config.Subject = "mysuperadminuser@example"
ts := config.TokenSource(ctx)
httpClient := config.Client(ctx)
ciService, err := cloudidentity.NewService(ctx, option.WithTokenSource(ts))
ds := cloudidentity.NewDevicesService(ciService)
resp, err := ds.List().Customer("customers/my_customer").PageSize(1).OrderBy("email").Do()
log.Infof("NewDevicesService resp %#v", resp)
if err != nil {
log.Errorf("Unable to retrieve devices: %v", err)
}
gs := cloudidentity.NewGroupsService(ciService)
respgs, err := gs.List().Parent("customers/my_customer").PageSize(1).Context(ctx).View("BASIC").Do()
log.Infof("NewGroupsService %#v", respgs)
if err != nil {
log.Errorf("Unable to retrieve groups: %v", err)
}
}
但是,列出设备的调用不断返回以下错误:
Error 403: The caller does not have permission, forbidden
但是列出组的调用给了我一个200 response code
,这意味着请求成功返回结果。
想知道是否有人可以指出我可能缺少的权限的正确方向?