如何使用服务帐户从应用程序脚本访问云数据存储
How to access cloud datastore from apps script with a service account
尝试使用这样的服务帐户从 google 应用程序脚本访问 google 云数据存储。我从 here 那里得到了样本
我不确定 SCOPE 是否正常,或者是否需要另一个范围。
运行 函数 运行() 给出类似 "Error retrieving token: invalid_scope, https://www.googleapis.com/auth/userinfo.email is not a valid audience string."
的错误
// testing Cloud Datastore access via service account
var PRIVATE_KEY = "-----BEGIN PRIVATE KEY----------END PRIVATE KEY-----\n";
var CLIENT_EMAIL = "xxxxxxxxxxx@appspot.gserviceaccount.com";
var USER_EMAIL = "myemailaddress@mydomain.com";
var CLIENT_ID = "104548139575444821912";
var SCOPE = "https://www.googleapis.com/auth/datastore/v1";
/**
* Authorizes and makes a request to the Cloud Datastore
*/
function run() {
var service = getService();
if (service.hasAccess()) {
var url = SCOPE;
var response = UrlFetchApp.fetch(url, {
headers: {
Authorization: 'Bearer ' + service.getAccessToken()
}
});
var result = JSON.parse(response.getContentText());
Logger.log(JSON.stringify(result, null, 2));
} else {
Logger.log(service.getLastError());
}
}
/**
* Reset the authorization state, so that it can be re-tested.
*/
function reset() {
getService().reset();
}
/**
* Configures the service.
*/
function getService() {
return OAuth2.createService('CloudDatastore:' + USER_EMAIL)
// Set the endpoint URL.
.setTokenUrl('https://accounts.google.com/o/oauth2/token')
// Set the private key and issuer.
.setPrivateKey(PRIVATE_KEY)
.setIssuer(CLIENT_EMAIL)
// .setClientId(CLIENT_ID)
// Set the name of the user to impersonate. This will only work for
// Google Apps for Work/EDU accounts whose admin has setup domain-wide
// delegation:
// https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
// .setSubject(USER_EMAIL)
// Set the property store where authorized tokens should be persisted.
.setPropertyStore(PropertiesService.getScriptProperties())
// Set the scope. This must match one of the scopes configured during the
// setup of domain-wide delegation.
.setScope('https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/datastore/v1');
}
曾经尝试过完全不请求示例中未说明的范围吗?请求范围 https://www.googleapis.com/auth/datastore
。虽然那个 GoogleDrive
示例有 PRIVATE_KEY
、CLIENT_EMAIL
、USER_EMAIL
(需要分配服务帐户的 PK 和电子邮件地址)...虽然它指出:
// Set the name of the user to impersonate. This will only work for
// Google Apps for Work/EDU accounts whose admin has setup domain-wide delegation:
// https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
.setSubject(USER_EMAIL)
如果您的帐户既不是工作帐户 (GSuite) 也不是教育帐户,您将无法冒充服务帐户;这给您留下了两个选择:a) 不要尝试使用服务帐户冒充任何人,或者 b) 创建一个具有 domain-wide 委托的 GSuite 域。显然不能在类似 gmail.com
的域上做到这一点,委托 off-domain 帐户也行不通;如果它是 GSuite domain, see domain-wide delegation。
曾经尝试过 var SCOPES="https://www.googleapis.com/auth/cloud-platform, https://www.googleapis.com/auth/datastore";
然后 .setScope(SCOPES)
吗?请求 invalid_scope
不会有任何结果,这意味着无效或尚未配置委派。
它指出,
This must match one of the scopes configured during the setup of domain-wide delegation.
Perform G Suite Domain-Wide Delegation of Authority explain it. domain-wide delegations needs to be enabled when creating the service account - and then accordingly delegated in the Admin Console. OAuth2ServiceAccount是ID协议。
在高级设置 > 身份验证 > 管理 API 客户端访问下,需要添加具有相应 API 范围的服务帐户的电子邮件地址(该错误消息就在以前的输入,那里可能需要两个范围):
在 Cloud Console 上,大致相同:
参见 API documentation first. once connected, see the console。
在我的 GitHub:
中添加了 rest/v1/projects 的示例(也可以 build/test 那里的请求)
请参阅 CloudDatastore.gs(它从 Google 驱动器加载配置 .json
)。
尝试使用这样的服务帐户从 google 应用程序脚本访问 google 云数据存储。我从 here 那里得到了样本 我不确定 SCOPE 是否正常,或者是否需要另一个范围。 运行 函数 运行() 给出类似 "Error retrieving token: invalid_scope, https://www.googleapis.com/auth/userinfo.email is not a valid audience string."
的错误// testing Cloud Datastore access via service account
var PRIVATE_KEY = "-----BEGIN PRIVATE KEY----------END PRIVATE KEY-----\n";
var CLIENT_EMAIL = "xxxxxxxxxxx@appspot.gserviceaccount.com";
var USER_EMAIL = "myemailaddress@mydomain.com";
var CLIENT_ID = "104548139575444821912";
var SCOPE = "https://www.googleapis.com/auth/datastore/v1";
/**
* Authorizes and makes a request to the Cloud Datastore
*/
function run() {
var service = getService();
if (service.hasAccess()) {
var url = SCOPE;
var response = UrlFetchApp.fetch(url, {
headers: {
Authorization: 'Bearer ' + service.getAccessToken()
}
});
var result = JSON.parse(response.getContentText());
Logger.log(JSON.stringify(result, null, 2));
} else {
Logger.log(service.getLastError());
}
}
/**
* Reset the authorization state, so that it can be re-tested.
*/
function reset() {
getService().reset();
}
/**
* Configures the service.
*/
function getService() {
return OAuth2.createService('CloudDatastore:' + USER_EMAIL)
// Set the endpoint URL.
.setTokenUrl('https://accounts.google.com/o/oauth2/token')
// Set the private key and issuer.
.setPrivateKey(PRIVATE_KEY)
.setIssuer(CLIENT_EMAIL)
// .setClientId(CLIENT_ID)
// Set the name of the user to impersonate. This will only work for
// Google Apps for Work/EDU accounts whose admin has setup domain-wide
// delegation:
// https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
// .setSubject(USER_EMAIL)
// Set the property store where authorized tokens should be persisted.
.setPropertyStore(PropertiesService.getScriptProperties())
// Set the scope. This must match one of the scopes configured during the
// setup of domain-wide delegation.
.setScope('https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/datastore/v1');
}
曾经尝试过完全不请求示例中未说明的范围吗?请求范围 https://www.googleapis.com/auth/datastore
。虽然那个 GoogleDrive
示例有 PRIVATE_KEY
、CLIENT_EMAIL
、USER_EMAIL
(需要分配服务帐户的 PK 和电子邮件地址)...虽然它指出:
// Set the name of the user to impersonate. This will only work for
// Google Apps for Work/EDU accounts whose admin has setup domain-wide delegation:
// https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
.setSubject(USER_EMAIL)
如果您的帐户既不是工作帐户 (GSuite) 也不是教育帐户,您将无法冒充服务帐户;这给您留下了两个选择:a) 不要尝试使用服务帐户冒充任何人,或者 b) 创建一个具有 domain-wide 委托的 GSuite 域。显然不能在类似 gmail.com
的域上做到这一点,委托 off-domain 帐户也行不通;如果它是 GSuite domain, see domain-wide delegation。
曾经尝试过 var SCOPES="https://www.googleapis.com/auth/cloud-platform, https://www.googleapis.com/auth/datastore";
然后 .setScope(SCOPES)
吗?请求 invalid_scope
不会有任何结果,这意味着无效或尚未配置委派。
它指出,
This must match one of the scopes configured during the setup of domain-wide delegation.
Perform G Suite Domain-Wide Delegation of Authority explain it. domain-wide delegations needs to be enabled when creating the service account - and then accordingly delegated in the Admin Console. OAuth2ServiceAccount是ID协议。
在高级设置 > 身份验证 > 管理 API 客户端访问下,需要添加具有相应 API 范围的服务帐户的电子邮件地址(该错误消息就在以前的输入,那里可能需要两个范围):
在 Cloud Console 上,大致相同:
参见 API documentation first. once connected, see the console。
在我的 GitHub:
中添加了 rest/v1/projects 的示例(也可以 build/test 那里的请求)请参阅 CloudDatastore.gs(它从 Google 驱动器加载配置 .json
)。