IAM permission denied while trying to detect intent on dialogflow CX

Question

I created the service account and i provided to my env following this guide

https://cloud.google.com/dialogflow/cx/docs/quick/setup#windows

I tried to run my code using firebase serve, but i got the following error:

Error: 7 PERMISSION_DENIED: IAM permission 'dialogflow.sessions.detectIntent' on 'projects/botDialogflowCX/locations/us-central1/agents/chat' denied

I'm sure that the service account is correct. I already tried to create a dialogflow admin account, client and project owner account.

Here is my code

const functions = require("firebase-functions");
const { SessionsClient } = require("@google-cloud/dialogflow-cx");
const crededentials = require("../../.env/botdialogflowcx-5e936a89c163.json");

exports.teste = functions.https.onRequest((request, response) => {
    functions.logger.info("Hello logs!", { structuredData: true });


    const client = new SessionsClient({
        apiEndpoint: "us-central1-dialogflow.googleapis.com",
    });

    const sessionId = Math.random().toString(36).substring(7);
    const sessionPath = client.projectLocationAgentSessionPath(
        "botDialogflowCX",
        "us-central1",
        "chat",
        sessionId);
    
    console.info(sessionPath);

    const requestDialogflow = {
        session: sessionPath,
        queryInput: {
            text: {
                text: "Oi",
            },
            languageCode: "pt-br",
        },
    };

    client.detectIntent(requestDialogflow).then((snapshot) => {
        const webhookResponse = {
            fulfillment_response: {
                messages: [{
                    text: {
                        text: ["testandoooo", snapshot],
                    },
                },
                ],
            },
        };
    
        response.send(webhookResponse);
    }).catch((error) => {
        console.log(error);
        response.status(500).send(error);
    });
});

I really don't know what is going on.

Running the command

gcloud projects get-iam-policy botdialogflowcx --flatten="bindings[].members" --format="table(bindings.role)" --filter="bindings.members:teste-889@botdialogflowcx.iam.gserviceaccount.com"

The output was roles/dialogflow.admin.

I add the email to the service account in the dialogflow CX - agent - share.

email in the dialogflow CX - agent - share

email in the account service

But still having the same error, that the IAM does not have permission.

Answer 1

The IAM Permission denied error usually occurs because the service account you are using has not been granted sufficient permission to perform the requested action on the GCP Project connected to the Dialogflow Agent, you have used the incorrect credentials in your request, or you have queried the incorrect agent.

Looking at the following code and error encountered, it seems that the Project Name and Agent Name were used instead of the Project ID and Agent ID value respectively.

const sessionPath = client.projectLocationAgentSessionPath(
        "botDialogflowCX", // update to Project ID
        "us-central1",
        "Chat", // update to Agent ID
        sessionId);

Please note that Project ID and Agent ID are different from the Project Name and Agent Name, you can refer to the following documentation on how to collect IDs.