1

I created the service account and i provided to my env following this guide

https://cloud.google.com/dialogflow/cx/docs/quick/setup#windows

I tried to run my code using firebase serve, but i got the following error:

Error: 7 PERMISSION_DENIED: IAM permission 'dialogflow.sessions.detectIntent' on 'projects/botDialogflowCX/locations/us-central1/agents/chat' denied

I'm sure that the service account is correct. I already tried to create a dialogflow admin account, client and project owner account.

Here is my code

const functions = require("firebase-functions");
const { SessionsClient } = require("@google-cloud/dialogflow-cx");
const crededentials = require("../../.env/botdialogflowcx-5e936a89c163.json");

exports.teste = functions.https.onRequest((request, response) => {
    functions.logger.info("Hello logs!", { structuredData: true });


    const client = new SessionsClient({
        apiEndpoint: "us-central1-dialogflow.googleapis.com",
    });

    const sessionId = Math.random().toString(36).substring(7);
    const sessionPath = client.projectLocationAgentSessionPath(
        "botDialogflowCX",
        "us-central1",
        "chat",
        sessionId);
    
    console.info(sessionPath);

    const requestDialogflow = {
        session: sessionPath,
        queryInput: {
            text: {
                text: "Oi",
            },
            languageCode: "pt-br",
        },
    };

    client.detectIntent(requestDialogflow).then((snapshot) => {
        const webhookResponse = {
            fulfillment_response: {
                messages: [{
                    text: {
                        text: ["testandoooo", snapshot],
                    },
                },
                ],
            },
        };
    
        response.send(webhookResponse);
    }).catch((error) => {
        console.log(error);
        response.status(500).send(error);
    });
});

I really don't know what is going on.

Running the command

gcloud projects get-iam-policy botdialogflowcx --flatten="bindings[].members" --format="table(bindings.role)" --filter="bindings.members:teste-889@botdialogflowcx.iam.gserviceaccount.com"

The output was roles/dialogflow.admin.

I add the email to the service account in the dialogflow CX - agent - share.

email in the dialogflow CX - agent - share

email in the account service

But still having the same error, that the IAM does not have permission.

Lucas Albuquerque
  • 23
  • 6
  • 1) Lookup the **client_emil** in **botdialogflowcx-5e936a89c163.json**. 2) Edit your question and include this command and output in your question: **gcloud projects get-iam-policy $PROJECT --flatten="bindings[].members" --format="table(bindings.role)" --filter="bindings.members:$SA_EMAIL"** – John Hanley Aug 12 '21 at 01:06
  • Execute this command then wait five minutes and try again: **gcloud services enable dialogflow.googleapis.com** – John Hanley Aug 12 '21 at 01:45
  • Also try changing the client code: **const client = new SessionsClient({keyFilename: "../../.env/botdialogflowcx-5e936a89c163.json", apiEndpoint: "us-central1-dialogflow.googleapis.com"});** – John Hanley Aug 12 '21 at 01:49
  • Still having the same problem. I did the **gcloud services enable** and change the **keyFilename** – Lucas Albuquerque Aug 12 '21 at 01:58
  • In the Dialogflow CX Console, does the service account have permission? https://dialogflow.cloud.google.com/cx/projects The service account will need the Dialogflow agent role **Admin**. Agent Settings -> Share. – John Hanley Aug 12 '21 at 02:05
  • The service that you added in your last update is a different service account. – John Hanley Aug 12 '21 at 02:52
  • Sorry, i forgot to say that i created the service account again and repeat all the steps just to have sure that i'm doing (amost) everything right. – Lucas Albuquerque Aug 12 '21 at 02:58
  • Unfortunately, I have run out of ideas to check for problems. – John Hanley Aug 12 '21 at 03:02

3 Answers3

1

I got it. I just had to change the

client.projectLocationAgentSessionPath(
        "botDialogflowCX",
        "us-central1",
        "chat",
        sessionId);

to

    const sessionPath = client.projectLocationAgentSessionPath(
        "botdialogflowcx",
        "us-central1",
        "e55b9ef5-d1f2-4e5c-9e95-974501233d50",
        sessionId);

and it worked.

Lucas Albuquerque
  • 23
  • 6
1

The IAM Permission denied error usually occurs because the service account you are using has not been granted sufficient permission to perform the requested action on the GCP Project connected to the Dialogflow Agent, you have used the incorrect credentials in your request, or you have queried the incorrect agent.

Looking at the following code and error encountered, it seems that the Project Name and Agent Name were used instead of the Project ID and Agent ID value respectively.

const sessionPath = client.projectLocationAgentSessionPath(
        "botDialogflowCX", // update to Project ID
        "us-central1",
        "Chat", // update to Agent ID
        sessionId);

Please note that Project ID and Agent ID are different from the Project Name and Agent Name, you can refer to the following documentation on how to collect IDs.

Riel
  • 444
  • 2
  • 5
0

if you're running this code in cloud functions i don't believe you need to provide the credentials. If you're running this locally you would set your credentials like this :

$env:GOOGLE_APPLICATION_CREDENTIALS="KEY_PATH"

That way you wouldn't need to provide the credentials in your code.

Gal Zahavi
  • 51
  • 2