应用程序默认凭据不适用于 Google 容器引擎
Application Default Credential Is Not Working on Google Container Engine
我正在尝试为 python IAM API 使用 Container Engine 上的应用程序默认凭证。但是我收到以下错误,指出身份验证范围不足。我的项目启用了 IAM API,并且代码在本地运行。所以,我不确定我错过了什么。
我的错误信息:
22:26:16.000
ERROR:root:<HttpError 403 when requesting https://iam.googleapis.com/v1/projects/henry-dev/serviceAccounts/test123@henry-dev.iam.gserviceaccount.com/keys?alt=json returned "Request had insufficient authentication scopes.">
{
metadata: {…}
textPayload: "ERROR:root:<HttpError 403 when requesting https://iam.googleapis.com/v1/projects/henry-dev/serviceAccounts/test123@henry-dev.iam.gserviceaccount.com/keys?alt=json returned "Request had insufficient authentication scopes.">
"
insertId: "116wpgtg3n4zndx"
log: "simplekubeserver"
}
22:26:16.000
HttpError: <HttpError 403 when requesting https://iam.googleapis.com/v1/projects/henry-dev/serviceAccounts/test123@henry-dev.iam.gserviceaccount.com/keys?alt=json returned "Request had insufficient authentication scopes.">
{
metadata: {…}
textPayload: "HttpError: <HttpError 403 when requesting https://iam.googleapis.com/v1/projects/henry-dev/serviceAccounts/test123@henry-dev.iam.gserviceaccount.com/keys?alt=json returned "Request had insufficient authentication scopes.">
"
insertId: "116wpgtg3n4znej"
log: "simplekubeserver"
}
我的代码,在本地有效但在 GKE 上无效:
from oauth2client.client import GoogleCredentials
def _iam_service():
credentials = GoogleCredentials.get_application_default()
return discovery.build(serviceName='iam',
version='v1',
credentials=credentials)
def list_keys(project_id, service_account_id):
full_name = 'projects/{0}/serviceAccounts/{1}'.format(project_id, service_account_id)
keys = _iam_service().projects().serviceAccounts().keys()
request = keys.list(name=full_name)
return request.execute()
我为解决问题所做的一件事是获取正在使用的服务帐户。
print credentials.service_account_email
在本地,这显示了我正在使用的正确服务帐户。而在 GKE 上,我得到 None,但预计会出现类似 123456789-compute@developer.gserviceaccount.com
的内容
在 source code 中,我看到:
_get_application_default_credential_GCE()
_get_application_default_credential_GAE()
但没有针对 GKE 的明确说明。所以,我假设使用了 GCE 的那个。
This doc 提到这应该适用于容器引擎。
Application Default Credentials are best suited for cases
when the call needs to have the same identity and authorization level
for the application independent of the user. This is the recommended
approach to authorize calls to Google Cloud Platform APIs, particularly
when you're building an application that is deployed to Google App
Engine, **Google Container Engine**, or Google Compute Engine virtual
machines.
IAM Service Accounts API 需要 https://www.googleapis.com/auth/iam 或 https://www.googleapis.com/auth/cloud-platform 范围。 GKE 集群节点上的范围是在集群创建(或节点池创建)时定义的。如果您是通过 Cloud Console 或 gcloud 创建集群,则默认范围不包括这些。
在 Cloud Console 中,您可以通过单击 "More" link 并将 "Cloud Platform" 设置为 [=26=,将云平台范围添加到 new cluster ]
如果您使用的是 gcloud,您可以通过将 --scopes 标志传递给 gcloud container clusters create or gcloud container node-pools create
来指定范围
我正在尝试为 python IAM API 使用 Container Engine 上的应用程序默认凭证。但是我收到以下错误,指出身份验证范围不足。我的项目启用了 IAM API,并且代码在本地运行。所以,我不确定我错过了什么。
我的错误信息:
22:26:16.000
ERROR:root:<HttpError 403 when requesting https://iam.googleapis.com/v1/projects/henry-dev/serviceAccounts/test123@henry-dev.iam.gserviceaccount.com/keys?alt=json returned "Request had insufficient authentication scopes.">
{
metadata: {…}
textPayload: "ERROR:root:<HttpError 403 when requesting https://iam.googleapis.com/v1/projects/henry-dev/serviceAccounts/test123@henry-dev.iam.gserviceaccount.com/keys?alt=json returned "Request had insufficient authentication scopes.">
"
insertId: "116wpgtg3n4zndx"
log: "simplekubeserver"
}
22:26:16.000
HttpError: <HttpError 403 when requesting https://iam.googleapis.com/v1/projects/henry-dev/serviceAccounts/test123@henry-dev.iam.gserviceaccount.com/keys?alt=json returned "Request had insufficient authentication scopes.">
{
metadata: {…}
textPayload: "HttpError: <HttpError 403 when requesting https://iam.googleapis.com/v1/projects/henry-dev/serviceAccounts/test123@henry-dev.iam.gserviceaccount.com/keys?alt=json returned "Request had insufficient authentication scopes.">
"
insertId: "116wpgtg3n4znej"
log: "simplekubeserver"
}
我的代码,在本地有效但在 GKE 上无效:
from oauth2client.client import GoogleCredentials
def _iam_service():
credentials = GoogleCredentials.get_application_default()
return discovery.build(serviceName='iam',
version='v1',
credentials=credentials)
def list_keys(project_id, service_account_id):
full_name = 'projects/{0}/serviceAccounts/{1}'.format(project_id, service_account_id)
keys = _iam_service().projects().serviceAccounts().keys()
request = keys.list(name=full_name)
return request.execute()
我为解决问题所做的一件事是获取正在使用的服务帐户。
print credentials.service_account_email
在本地,这显示了我正在使用的正确服务帐户。而在 GKE 上,我得到 None,但预计会出现类似 123456789-compute@developer.gserviceaccount.com
的内容在 source code 中,我看到:
_get_application_default_credential_GCE()
_get_application_default_credential_GAE()
但没有针对 GKE 的明确说明。所以,我假设使用了 GCE 的那个。
This doc 提到这应该适用于容器引擎。
Application Default Credentials are best suited for cases
when the call needs to have the same identity and authorization level
for the application independent of the user. This is the recommended
approach to authorize calls to Google Cloud Platform APIs, particularly
when you're building an application that is deployed to Google App
Engine, **Google Container Engine**, or Google Compute Engine virtual
machines.
IAM Service Accounts API 需要 https://www.googleapis.com/auth/iam 或 https://www.googleapis.com/auth/cloud-platform 范围。 GKE 集群节点上的范围是在集群创建(或节点池创建)时定义的。如果您是通过 Cloud Console 或 gcloud 创建集群,则默认范围不包括这些。
在 Cloud Console 中,您可以通过单击 "More" link 并将 "Cloud Platform" 设置为 [=26=,将云平台范围添加到 new cluster ]
如果您使用的是 gcloud,您可以通过将 --scopes 标志传递给 gcloud container clusters create or gcloud container node-pools create