我有这个代码:
import {v2beta3} from "@google-cloud/tasks";
const project = 'xxxxxxx'
const location = 'yyyyyyy'
const queue = 'zzzzzzzzz'
const client = new v2beta3.CloudTasksClient()
const parent = client.queuePath(project, location, queue)
const payload = {eventId: "fred"}
const convertedPayload = JSON.stringify(payload)
const body = Buffer.from(convertedPayload).toString('base64');
const task = {
httpRequest: {
httpMethod: "POST",
url: "https://webhook.site/9sssssssssss",
oidcToken: {
serviceAccountEmail: "aaaaaaaaaa@appspot.gserviceaccount.com",
},
headers: {
'Content-Type': 'application/json',
},
body,
},
};
(async function() {
try {
const [response] = await client.createTask({parent, task});
console.log(`Created task ${response.name}`);
} catch (error) {
console.log(error)
}
}());
当我在笔记本电脑上运行它时,它就可以工作了,这对我来说似乎是未经验证的。现在任何人都可以在我的队列中排队执行任务。
向GCP云任务队列API进行身份验证的正确方法是什么?
正如John Hanley在评论中指出的那样,我的本地应用程序正在使用应用程序默认凭据进行身份验证。当我通过这样做切换到另一个gcloud帐户时:
gcloud auth application-default login
当我尝试运行代码时,我收到了以下错误消息:
Error: 7 PERMISSION_DENIED: The principal (user or service account) lacks IAM permission "cloudtasks.tasks.create" for the resource "projects/yyyyyyy/locations/europe-west1/queues/default-xxxxxx" (or the resource may not exist).