Your application has authenticated using end user credentials from the Google Cloud SDK

0
votes

I have an issue with dialogflow detect intent function integrated with .net application

gcloud, GOOGLE_APPLICATION_CREDENTIALS, gcloud auth activate-service-account and set project property was enabled from the tutorial,

But I still have an exception message "Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the dialogflow.googleapis.com."

Help, please

2
c#.netapidialogflow-esgcloud

2 Answers

0
votes

I think you are not setting properly the service account and authenticate using end user credentials.

 1. gcloud config set project your-project

 2. gcloud auth list
    ACTIVE  ACCOUNT
    * [email protected]

 3. gcloud iam service-accounts create dialogflow --description dialogflow --display-name dialogflow
    gcloud iam service-accounts list
    # [email protected]

 4. gcloud iam service-accounts keys create key.json --iam-account [email protected]

 5. gcloud projects add-iam-policy-binding your-project --member [email protected] --role roles/owner

 6. gcloud auth activate-service-account [email protected]  --key-file=key.json

 7. gcloud auth list
 # ACTIVE  ACCOUNT
  * [email protected]

Then you can proceed with the tutorial

0
votes

Google Application Default Credentials (ADCs) is a useful facility for simplifying authentication with Google services. Generally (!) you will want to use a service account with ADCs. However -- for development purposes (perhaps others!?) -- it is possible to use end-user credentials instead.

You appear to be using end-user credentials (e.g. your Google account) as the credentials and (in this case) this is not permitted by the (DialogFlow) service. You must instead use a service account.

@marian-vladoi's answer is correct in providing the commands to help you create a service account, a key for it and in defining the IAM permissions. However, I would recommend that you then configure ADCs to use this service account by exporting the environment variable GOOGLE_APPLICATION_CREDENTIALS rather than gcloud auth activate-service-account ...

So:

PROJECT=[[YOUR-PROJECT]]
ACCOUNT="dialogflow"     # Or your preferred name
EMAIL="${ACCOUNT}@${PROJECT}.iam.gserviceaccount.com"
FILE=./${ACCOUNT}.json

# Create the service account
gcloud iam service-accounts create ${ACCOUNT} \
--project=${PROJECT}

# Create a key for it
gcloud iam service-accounts keys create ${FILE}
--iam-account=${EMAIL} \
--key-file-type=json \
--project=${PROJECT}

# Grant the service account appropriate permissions
gcloud projects add-iam-policy-binding ${PROJECT} \
--member=serviceAccount:${EMAIL} \
--role=roles/dialogflow.client

NB I assume the service account only needs roles/dialogflow.client but you may need to bump this. See: https://cloud.google.com/iam/docs/understanding-roles#dialogflow-roles

If you're using Linux, then you can:

export GOOGLE_APPLICATION_CREDENTIALS=${FILE}
# Run your app

See here for setting GOOGLE_APPLICATION_CREDENTIALS on Windows.