PermissionDenied: 403 IAM permission 'dialogflow.intents.list'
Solution 1
There is no need for creating a new Agent. You can edit the existing agents IAM.
- In Dialogflow's console, go to settings ⚙ > under the general tab, you'll see the project ID section with a Google Cloud link to open the Google Cloud console > Open Google Cloud.
- In google cloud, go to IAM Admin > IAM under tab Members. Find the name of your agents and then click on edit.
- Give admin permissions to the agent to give permissions to list intent.
Solution 2
The problem lies in the IAM section of GCP. Probably you are making a POST request with a role that does not have the necessary authorizations.
- Look into your key.json file that contains the field "client_email"
- Proceed to the IAM page and set the relevant role with that email to a role that has posting capabilities. (e.g. Admin)
This solved my problem.
Solution 3
- In Dialogflow's console, go to settings ⚙ > under the general tab, you'll see the project ID section with a Google Cloud link to open the Google Cloud console > Open Google Cloud.
- (Optional) In the Cloud console, go to the menu icon > APIs & Services > Library. Select any APIs (if any) > Enable.
- In Cloud Console > under the menu icon ☰ > APIs & Services > Credentials > Create Credentials > Service Account Key.
Under Create service account key, select New Service Account from the dropdown and enter a project name and for role choose Owner > Create.
- JSON private key file will be downloaded to your local machine that you will need.
For Javascript: In the index.js file you can do service account auth with JWT:
const serviceAccount = {}; // Starts with {"type": "service_account",...
// Set up Google Calendar Service account credentials
const serviceAccountAuth = new google.auth.JWT({
email: serviceAccount.client_email,
key: serviceAccount.private_key,
scopes: 'https://www.googleapis.com/auth/xxxxxxx'
});
For Python:
There's a Google Auth Python Library available via pip install google-auth
and you can check out more here.
Solution 4
When you create the intentClient
, use following:
key_file_path = "/home/user/folder/service-account-key.json";
client=dialogflow.IntentsClient({
keyFilename: key_file_path
})
Pranshu Dixit
Updated on June 15, 2022Comments
-
Pranshu Dixit about 2 years
I'm trying to get the list of the intents in my Dialogflow agent using Dialogflow's V2 APIs but have been getting the following error:
PermissionDenied: 403 IAM permission 'dialogflow.intents.list' on 'projects/xxxx/agent' denied.
I adopted the following steps:
- I created a new agent(with V2 APIs enabled) and a new service account for it.
- I downloaded the JSON key and set my GOOGLE_APPLICATION_CREDENTIALS variable to its path.
Following is my code:
import dialogflow_v2 as dialogflow os.environ["GOOGLE_APPLICATION_CREDENTIALS"]="/home/user/folder/service-account-key.json" client=dialogflow.IntentsClient() parent = client.project_agent_path('[PROJECT_ID]') for element in client.list_intents(parent): pass
I have made various agents and service accounts and even changed the role from Admin to Client but can't figure out any solution. I tried the following solution but didnt' work
Tried Solution: DialogFlow PermissionDenied: 403 IAM permission 'dialogflow.sessions.detectIntent'
-
Pranshu Dixit almost 6 yearsHi @Armin_SC, thanks for the reply. I tried your approach but couldn't get it working for dialogflow. Can you please help me by referring to the following link? dialogflow.com/docs/reference/v2-auth-setup
-
Armin_SC almost 6 yearsIn case you want to provide credentials separately from your application, I suggest you to set the
GOOGLE_APPLICATION_CREDENTIALS
environment variable by following the Setting the environment variable guide steps and create the.bashrc
file as mentioned in the Dialogflow tutorial you provided previously; otherwise, the variable will apply only to the current shell session, so if you open a new session, set the variable again. -
Pranshu Dixit almost 6 yearsI have set the environment variable GOOGLE_APPLICATION_CREDENTIALS too. It is working for listing out the buckets but not for the Dialogflow API
-
Armin_SC almost 6 yearsYou should to take a look on the DialogFlow V2 Authentication guide and StackOverflow post where is recommended to create the Dialogflow object by using the private_key, client_email information, as well as verify that your account has the required roles to perform these tasks.
-
str028 about 4 yearsAre you sure about Owner role ?
-
Yugo Gautomo almost 4 yearsYes, this solution also work within gcloud terminal
$gcloud alpha dialogflow intents list --impersonate-service-account=[SERVICE_ACCOUNT]
-
lumayara about 3 yearsThis was so helpful! Thanks!