英文:
DefaultCredentialsError when trying to collect Google default credentials for Google storage
问题
我正试图从运行在Kubernetes Pod上的服务上传文件到Google云存储存储桶。这需要对Google存储进行身份验证,因此我从控制台创建了一个JSON身份验证文件。
这个JSON文件保存为我的Kubernetes环境中的一个密钥,并通过环境变量GOOGLE_APPLICATION_CREDENTIALS在deploy.yaml中引用。
格式如下:
{
"type": "service_account",
"project_id": "xxx",
"private_key_id": "xxx",
"private_key": "-----BEGIN PRIVATE KEY-----\nxxx\n-----END PRIVATE KEY-----\n",
"client_email": "xx",
"client_id": "",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "xxx"
}
以下是我如何处理这个身份验证的代码:
import google.auth
credentials, project_id = google.auth.default()
bucket_name = Config.STORAGE_BUCKET_NAME
client = storage.Client(project=project_id)
bucket = client.get_bucket(bucket_name)
在本地登录到gcloud后,我可以在本地测试时上传文件。但是,当部署到Kubernetes时,我收到以下错误:
File "/storage.py", line 8, in <module>
credentials, project_id = google.auth.default()
File "/usr/local/lib/python3.6/dist-packages/google/auth/_default.py", line 308, in default
credentials, project_id = checker()
File "/usr/local/lib/python3.6/dist-packages/google/auth/_default.py", line 166, in _get_explicit_environ_credentials
os.environ[environment_vars.CREDENTIALS]
File "/usr/local/lib/python3.6/dist-packages/google/auth/_default.py", line 92, in _load_credentials_from_file
"File {} was not found.".format(filename)
google.auth.exceptions.DefaultCredentialsError: File {
"type": "service_account",
"project_id": "xxx",
"private_key_id": "xxx",
"private_key": "-----BEGIN PRIVATE KEY-----\nxxx\n-----END PRIVATE KEY-----\n",
"client_email": "xx",
"client_id": "",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "xxx"
}
was not found.
我感到困惑,因为错误中引用了文件本身,所以我假设它已经找到了它,但它不认识它作为一个有效的服务身份验证文件。
非常感谢所有的帮助和指导。 
英文:
I am attempting to upload a file to a Google cloud storage bucket from a service running on a Kubernetes pod. This requires authentication for the Google storage and so I have created a json authentication file from the console.
This json file is saved as a secret on my kubernetes environment and is referenced in the deploy.yaml through the environment variable GOOGLE_APPLICATION_CREDENTIALS.
The format appears like this:
{
"type": "service_account",
"project_id": "xxx",
"private_key_id": "xxx",
"private_key": "-----BEGIN PRIVATE KEY-----\nxxx\n-----END PRIVATE KEY-----\n",
"client_email": "xx",
"client_id": "",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "xxx"
}
And the following code of how I am handling this authentication:
import google.auth
credentials, project_id = google.auth.default()
bucket_name = Config.STORAGE_BUCKET_NAME
client = storage.Client(project=project_id)
bucket = client.get_bucket(bucket_name)
Given that locally I have logged into gcloud, I am able to upload files when testing locally. However, when deployed to Kubernetes I get the following error:
File "/storage.py", line 8, in <module>
credentials, project_id = google.auth.default()
File "/usr/local/lib/python3.6/dist-packages/google/auth/_default.py", line 308, in default
credentials, project_id = checker()
File "/usr/local/lib/python3.6/dist-packages/google/auth/_default.py", line 166, in _get_explicit_environ_credentials
os.environ[environment_vars.CREDENTIALS]
File "/usr/local/lib/python3.6/dist-packages/google/auth/_default.py", line 92, in _load_credentials_from_file
"File {} was not found.".format(filename)
google.auth.exceptions.DefaultCredentialsError: File {
"type": "service_account",
"project_id": "xxx",
"private_key_id": "xxx",
"private_key": "-----BEGIN PRIVATE KEY-----\nxxx\n-----END PRIVATE KEY-----\n",
"client_email": "xx",
"client_id": "",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "xxx"
}
was not found.
I'm confused as it's referencing the file itself in the error so I am assuming it located it, but it does not recognize it as a valid service authentication file.
All help and pointers appreciated.
答案1
得分: 1
我认为你应该先在本地尝试这段代码,然后在Kubernetes上尝试,以检查是否与你的service_account.json文件有关:
client = storage.Client.from_service_account_json('service_account.json')
或者 链接:
如果你的应用程序在Compute Engine、Kubernetes Engine、App Engine灵活环境或Cloud Functions上运行,你不需要创建自己的服务账号。Compute Engine会自动为你创建一个默认的服务账号,并且如果需要的话,你可以为每个实例分配不同的服务账号。
credentials = compute_engine.Credentials()
# 使用凭据创建客户端,并指定项目ID。
storage_client = storage.Client(credentials=credentials, project=project)
英文:
I think you should try this code locally and then on kubernetes, to check if is a problem with your service_account.json file:
client = storage.Client.from_service_account_json(
'service_account.json')
or link:
> If your application runs on Compute Engine, Kubernetes Engine, the App
> Engine flexible environment, or Cloud Functions, you don't need to
> create your own service account. Compute Engine includes a default
> service account that is automatically created for you, and you can
> assign a different service account, per-instance, if needed.
credentials = compute_engine.Credentials()
# Create the client using the credentials and specifying a project ID.
storage_client = storage.Client(credentials=credentials, project=project)
答案2
得分: 0
我的问题最终是因为我没有在部署文件中将秘密的 JSON 密钥文件设置为卷挂载。
我是这样做的示例:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /mnt/file_key/key.json
.......
volumeMounts:
- mountPath: /mnt/file_key
name: file_key
readOnly: true
.......
volumes:
- name: file_key
secret:
defaultMode: 420
secretName: file_key_secret
英文:
My issue ended up being that I had no set up the secret json key file as a volume mount in the deploy file.
Example of how I did it:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /mnt/file_key/key.json
.......
volumeMounts:
- mountPath: /mnt/file_key
name: file_key
readOnly: true
........
volumes:
- name: file_key
secret:
defaultMode: 420
secretName: file_key_secret
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论