1. 首頁
  2. 問答
  3. 應用程序默認憑證不適用於Google容器引擎

應用程序默認憑證不適用於Google容器引擎

2016-09-26 34 views
1

我正嘗試在容器引擎上使用應用程序默認憑證,以用於python IAM API。但是我收到以下錯誤指出認證範圍不足。我的項目啓用了IAM API,代碼在本地工作。所以,我不知道我錯過了什麼。應用程序默認憑證不適用於Google容器引擎

我的錯誤消息:

22:26:16.000 
ERROR:root:<HttpError 403 when requesting https://iam.googleapis.com/v1/projects/henry-dev/serviceAccounts/[email protected]/keys?alt=json returned "Request had insufficient authentication scopes."> 
{ 
metadata: {…} 
textPayload: "ERROR:root:<HttpError 403 when requesting https://iam.googleapis.com/v1/projects/henry-dev/serviceAccounts/[email protected]/keys?alt=json returned "Request had insufficient authentication scopes."> 
" 
insertId: "116wpgtg3n4zndx" 
log: "simplekubeserver" 
} 

22:26:16.000 
HttpError: <HttpError 403 when requesting https://iam.googleapis.com/v1/projects/henry-dev/serviceAccounts/[email protected]/keys?alt=json returned "Request had insufficient authentication scopes."> 
{ 
metadata: {…} 
textPayload: "HttpError: <HttpError 403 when requesting https://iam.googleapis.com/v1/projects/henry-dev/serviceAccounts/[email protected]/keys?alt=json returned "Request had insufficient authentication scopes."> 
" 
insertId: "116wpgtg3n4znej" 
log: "simplekubeserver" 
}

我的代碼,這在當地可是沒有工作在GKE:

from oauth2client.client import GoogleCredentials 

def _iam_service(): 
    credentials = GoogleCredentials.get_application_default() 
    return discovery.build(serviceName='iam', 
         version='v1', 
         credentials=credentials) 

def list_keys(project_id, service_account_id): 
    full_name = 'projects/{0}/serviceAccounts/{1}'.format(project_id, service_account_id) 
    keys = _iam_service().projects().serviceAccounts().keys() 
    request = keys.list(name=full_name) 
    return request.execute()

有一件事我沒有解決是讓正在使用的服務帳戶。

print credentials.service_account_email

在本地,這顯示了我正在使用的正確的服務帳戶。而在GKE,我得到無,但預計類似[email protected]

source code,我看到:

_get_application_default_credential_GCE()   
_get_application_default_credential_GAE()

但沒有明確的GKE。所以,我假設使用GCE的那個。

This doc提到這應該在Container Engine上工作。

Application Default Credentials are best suited for cases 
when the call needs to have the same identity and authorization level 
for the application independent of the user. This is the recommended 
approach to authorize calls to Google Cloud Platform APIs, particularly 
when you're building an application that is deployed to Google App 
Engine, **Google Container Engine**, or Google Compute Engine virtual 
machines.

來源

2016-09-26 Henry Chang

回答

1

IAM Service Accounts API要求要麼https://www.googleapis.com/auth/iamhttps://www.googleapis.com/auth/cloud-platform範圍。 GKE集羣節點上的範圍是在集羣創建(或節點池創建)時間定義的。如果您通過雲控制檯或通過gcloud創建了羣集,則默認範圍不包括這些範圍。

在雲端控制檯,您可以通過點擊「更多」鏈接,並設置「雲平臺」雲平臺範圍添加到new cluster爲「Enabled」

如果您正在使用gcloud,你可以指定通過將--scopes標誌傳遞給gcloud container clusters creategcloud container node-pools create

來源

2016-09-26 18:38:10

+0

謝謝,通過創建啓用了雲平臺範圍的新集羣,我可以爲我工作。如果可以在不需要創建新集羣的情況下更改範圍,那將更加可怕。 –

+0

您可以通過創建新節點池(包含所需的範圍)然後刪除舊節點池來更改正在運行的集羣上的範圍。但看起來你已經過去了:)。很高興它對你有效。 –

相關問題

 相關問題