使用Google云客户端库时出错:未知凭据类型:
我正在Go中使用Google Cloud,并关注John Hanley的这篇文章:
https://www.jhanley.com/google-cloud-improving-security-with-impersonation/
并用这个SO答案捣碎了它:
如何在不下载服务帐户凭据的情况下从 Google Compute Engine 和本地对 Google API (Google Drive API) 进行身份验证?
凭据已成功保存到“application_default_credentials.json”:
注意:“类型”:“impersonated_service_account"
{
"delegates": [],
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[sa@example-2021.iam.gserviceaccount.com]:generateAccessToken",
"source_credentials": {
"client_id": "...apps.googleusercontent.com",
"client_secret": "...",
"refresh_token": "...",
"type": "authorized_user"
},
"type": "impersonated_service_account"
}
我的代码生成未知的凭据类型:“impersonated_service_account”错误:
package main
import (
...
"cloud.google.com/go/storage"
"golang.org/x/oauth2"
"google.golang.org/api/docs/v1"
"google.golang.org/api/drive/v3"
"google.golang.org/api/impersonate"
"google.golang.org/api/option"
...
)
var Config.GoogleServiceAccount string = "sa@example-2021.iam.gserviceaccount.com"
func main(){
_ = getTokenAsImpersonator()
}
// From: https://pkg.go.dev/google.golang.org/api/impersonate#example-CredentialsTokenSource-ServiceAccount
func getTokenAsImpersonator() oauth2.TokenSource {
ctx := context.Background()
// Base credentials sourced from ADC or provided client options.
ts, err := impersonate.CredentialsTokenSource(ctx, impersonate.CredentialsConfig{
TargetPrincipal: Config.GoogleServiceAccount,
Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"},
// Delegates: []string{"bar@project-id.iam.gserviceaccount.com"},
})
if err != nil {
log.Fatal(err)
}
return ts
}
“未知凭据类型:”impersonated_service_account“错误:
google: error getting credentials using GOOGLE_APPLICATION_CREDENTIALS environment variable: unknown credential type: "impersonated_service_account"
我是否做错了什么,或者这是一个错误?
慕沐林林2回答
-
冉冉说
我在运行 GCP Terraform 提供程序测试时遇到了同样的问题。您可以指定服务帐户 Terraform 必须模拟设置 env 变量(文档)。GOOGLE_IMPERSONATE_SERVICE_ACCOUNT配置步骤:export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.comgcloud auth application-default login -
白猪掌柜的
在某些时候,我使用CLI来模拟一个帐户:gcloud config set auth/impersonate_service_account <service account>然后,稍后在尝试使用应用程序默认凭据命令时,它会使用服务帐户凭据包装您的凭据。gcloud auth application-default login您最终得到的是一个如下所示的文件:{ "delegates": [], "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/example@example-project.iam.gserviceaccount.com:generateAccessToken", "source_credentials": { "client_id": "123abc.apps.googleusercontent.com", "client_secret": "XXXXXXXXX", "refresh_token": "XXXXXXXXX", "type": "authorized_user" }, "type": "impersonated_service_account"}这似乎会导致第三方服务(如terraform)出现很多问题。奇怪的是,Terraform只是使用Google SDK对Google进行API调用,因此它确实与Google有关。您需要删除模拟:gcloud config unset auth/impersonate_service_account然后再次运行应用程序默认凭据命令:gcloud auth application-default login现在,如果您检查文件,它应该如下所示:{ "client_id": "XXXXXXXXX", "client_secret": "XXXXXXXXX", "quota_project_id": "example-project", "refresh_token": "XXXXXXXXXX", "type": "authorized_user"}当我尝试模拟帐户时,我遇到了同样的问题,因此我可以将Terraform命令作为服务帐户而不是我的个人帐户运行,但它不喜欢这样。编辑:重读你的问题,听起来你和我在同一条船上。我们希望使用服务帐户,而无需实际下载密钥。谷歌甚至提到这是最佳实践。但这样做会导致他们自己的SDK出现问题。
随时随地看视频慕课网APP
相关分类
Go