每次在 firebase 函数中使用 google admin api 在 firestore 数据库中创建新条目时,我都会尝试创建一个独特的 google 组。
函数index.js中的
onCreateasync function createSupplierOrderChannel(orderId, supplierId, customerEmail, supplierEmail) {
const auth = new google.auth.GoogleAuth({
scopes: [
'https://www.googleapis.com/auth/admin.directory.group',
'https://www.googleapis.com/auth/admin.directory.user',
'https://www.googleapis.com/auth/admin.directory.group.member'
]
});
const client = await auth.getClient();
console.log('Service Account Email:', await auth.getCredentials());
const googleAdmin = google.admin({
version: 'directory_v1',
auth: client
});
const groupEmail = `order-${orderId}-supplier-${supplierId}@${GOOGLE_WORKSPACE_DOMAIN}`;
// Create Google Group
await googleAdmin.groups.insert({
requestBody: {
email: groupEmail,
name: `Order ${orderId} - Supplier ${supplierId}`,
description: `Communication channel for order ${orderId} with supplier ${supplierId}`
}
});
return groupEmail;
}
可以看到,为了进行完整性检查,我正在打印用于进行此调用的服务帐户电子邮件,这是具有以下格式的 Firebase 服务帐户:
经过搜索,我在域范围委托中向此客户端 ID 添加了以下范围:
https://www.googleapis.com/auth/admin.directory.group.member
https://www.googleapis.com/auth/admin.directory.user
https://www.googleapis.com/auth/admin.directory.group
https://www.googleapis.com/auth/admin.directory.user.security
由于某种原因,运行该函数会导致函数日志中出现以下错误:
Error: Not Authorized to access this resource/api
我缺少什么许可?
弄清楚。除了范围之外,您还必须提供从 google 管理控制台服务帐户页面获取的凭证 json 文件以及正在模拟的
subjectconst auth = new google.auth.GoogleAuth({
keyFile: './your-credentials-file.json',
scopes: [
'https://www.googleapis.com/auth/admin.directory.group',
'https://www.googleapis.com/auth/admin.directory.user',
'https://www.googleapis.com/auth/admin.directory.group.member'
],
clientOptions: {
subject: '[email protected]'
}