在 docker 图像上验证 Google 云服务帐户
Authenticate Google Cloud service account on docker image
我发现 docker 图像内部和外部的不同行为用于验证 google 服务帐户。
外面。成功。
C:\Users\Ben\AppData\Local\Google\Cloud SDK>gcloud auth activate-service-account 773889352370-compute@developer.gserviceaccount.com --key-file C:/Users/Ben/Dropbox/Google/MeerkatReader-d77c0d6aa04f.json --project api-project-773889352370
Activated service account credentials for: [773889352370-compute@developer.gserviceaccount.com]
运行 docker容器,将.json键传到tmp目录。
C:\Users\Ben\AppData\Local\Google\Cloud SDK>docker run -it -v C:/Users/Ben/Dropbox/Google/MeerkatReader-d77c0d6aa04f.json:/tmp/MeerkatReader-d77c0d6aa04f.json --rm -p "127.0.0.1:8080:8080" --entrypoint=/bin/bash gcr.io/cloud-datalab/datalab:local-20161227
从 docker 中确认文件存在
root@4a4a9314f15c:/tmp# ls
MeerkatReader-d77c0d6aa04f.json npm-24-b7aa1bcf npm-45-fd13ef7c npm-7-22ec336e
运行 与之前相同的命令。失败。
root@4a4a9314f15c:/tmp# gcloud auth activate-service-account 773889352370-compute@developer.gserviceaccoun
t.com --key-file MeerkatReader-d77c0d6aa04f.json --project api-project-773889352370
ERROR: (gcloud.auth.activate-service-account) Failed to activate the given service account. Please ensure provided key file is valid.
什么可能导致此错误?更广泛地说,用于传递凭据的 suggested strategy 是什么。我试过这个但它也失败了。我正在使用 cloudml API 和 cloud vision,我想避免在每个 运行 开始时手动 gcloud init。
编辑:显示 gcloud 信息
root@7ff49b26484f:/# gcloud info --run-diagnostics
Network diagnostic detects and fixes local network connection issues.
Checking network connection...done.
Reachability Check passed.
Network diagnostic (1/1 checks) passed.
确认了同样的行为
root@7ff49b26484f:/tmp# gcloud auth activate-service-account 773889352370-compute@developer.gserviceaccount.com --key-file MeerkatReader-d77c0d6aa04f.json --project api-project-773889352370
ERROR: (gcloud.auth.activate-service-account) Failed to activate the given service account. Please ensure provided key file is valid.
您是否尝试过从一开始就将凭据放入图像中?这是一个相似的结果吗?
另一方面,您是否尝试过使用 --key-file /tmp/MeerkatReader-d77c0d6aa04f.json?由于您似乎将 json 文件放在 /tmp 中。
您还可以考虑检查容器内部的网络配置,并从外部使用 docker。
这可能是由于 docker VM 的时钟偏差。我调试了google SDK的activate-service-account函数,得到如下错误信息:
There was a problem refreshing your current auth tokens: invalid_grant:
Invalid JWT: Token must be a short-lived token and in a reasonable timeframe
Please run:
$ gcloud auth login
to obtain new credentials, or if you have already logged in with a different account:
$ gcloud config set account ACCOUNT
to select an already authenticated account to use.
重新启动 VM 后,效果非常好。
我发现 docker 图像内部和外部的不同行为用于验证 google 服务帐户。
外面。成功。
C:\Users\Ben\AppData\Local\Google\Cloud SDK>gcloud auth activate-service-account 773889352370-compute@developer.gserviceaccount.com --key-file C:/Users/Ben/Dropbox/Google/MeerkatReader-d77c0d6aa04f.json --project api-project-773889352370
Activated service account credentials for: [773889352370-compute@developer.gserviceaccount.com]
运行 docker容器,将.json键传到tmp目录。
C:\Users\Ben\AppData\Local\Google\Cloud SDK>docker run -it -v C:/Users/Ben/Dropbox/Google/MeerkatReader-d77c0d6aa04f.json:/tmp/MeerkatReader-d77c0d6aa04f.json --rm -p "127.0.0.1:8080:8080" --entrypoint=/bin/bash gcr.io/cloud-datalab/datalab:local-20161227
从 docker 中确认文件存在
root@4a4a9314f15c:/tmp# ls
MeerkatReader-d77c0d6aa04f.json npm-24-b7aa1bcf npm-45-fd13ef7c npm-7-22ec336e
运行 与之前相同的命令。失败。
root@4a4a9314f15c:/tmp# gcloud auth activate-service-account 773889352370-compute@developer.gserviceaccoun
t.com --key-file MeerkatReader-d77c0d6aa04f.json --project api-project-773889352370
ERROR: (gcloud.auth.activate-service-account) Failed to activate the given service account. Please ensure provided key file is valid.
什么可能导致此错误?更广泛地说,用于传递凭据的 suggested strategy 是什么。我试过这个但它也失败了。我正在使用 cloudml API 和 cloud vision,我想避免在每个 运行 开始时手动 gcloud init。
编辑:显示 gcloud 信息
root@7ff49b26484f:/# gcloud info --run-diagnostics
Network diagnostic detects and fixes local network connection issues.
Checking network connection...done.
Reachability Check passed.
Network diagnostic (1/1 checks) passed.
确认了同样的行为
root@7ff49b26484f:/tmp# gcloud auth activate-service-account 773889352370-compute@developer.gserviceaccount.com --key-file MeerkatReader-d77c0d6aa04f.json --project api-project-773889352370
ERROR: (gcloud.auth.activate-service-account) Failed to activate the given service account. Please ensure provided key file is valid.
您是否尝试过从一开始就将凭据放入图像中?这是一个相似的结果吗?
另一方面,您是否尝试过使用 --key-file /tmp/MeerkatReader-d77c0d6aa04f.json?由于您似乎将 json 文件放在 /tmp 中。
您还可以考虑检查容器内部的网络配置,并从外部使用 docker。
这可能是由于 docker VM 的时钟偏差。我调试了google SDK的activate-service-account函数,得到如下错误信息:
There was a problem refreshing your current auth tokens: invalid_grant:
Invalid JWT: Token must be a short-lived token and in a reasonable timeframe
Please run:
$ gcloud auth login
to obtain new credentials, or if you have already logged in with a different account:
$ gcloud config set account ACCOUNT
to select an already authenticated account to use.
重新启动 VM 后,效果非常好。