DefaultCredentialsError在尝试收集Google存储的Google默认凭据时发生。

huangapple
go评论106阅读模式
英文:

DefaultCredentialsError when trying to collect Google default credentials for Google storage

问题

我正试图从运行在Kubernetes Pod上的服务上传文件到Google云存储存储桶。这需要对Google存储进行身份验证,因此我从控制台创建了一个JSON身份验证文件。

这个JSON文件保存为我的Kubernetes环境中的一个密钥,并通过环境变量GOOGLE_APPLICATION_CREDENTIALSdeploy.yaml中引用。

格式如下:

  1. {
  2.    "type": "service_account",
  3.    "project_id": "xxx",
  4.    "private_key_id": "xxx",
  5.    "private_key": "-----BEGIN PRIVATE KEY-----\nxxx\n-----END PRIVATE KEY-----\n",
  6.    "client_email": "xx",
  7.    "client_id": "",
  8.    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  9.    "token_uri": "https://oauth2.googleapis.com/token",
  10.    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  11.    "client_x509_cert_url": "xxx"
  12. }

以下是我如何处理这个身份验证的代码:

  1. import google.auth
  3. credentials, project_id = google.auth.default()
  5. bucket_name = Config.STORAGE_BUCKET_NAME
  6. client = storage.Client(project=project_id)
  7. bucket = client.get_bucket(bucket_name)

在本地登录到gcloud后,我可以在本地测试时上传文件。但是,当部署到Kubernetes时,我收到以下错误:

  1. File "/storage.py", line 8, in <module>
  2.     credentials, project_id = google.auth.default()
  3.   File "/usr/local/lib/python3.6/dist-packages/google/auth/_default.py", line 308, in default
  4.     credentials, project_id = checker()
  5.   File "/usr/local/lib/python3.6/dist-packages/google/auth/_default.py", line 166, in _get_explicit_environ_credentials
  6.     os.environ[environment_vars.CREDENTIALS]
  7.   File "/usr/local/lib/python3.6/dist-packages/google/auth/_default.py", line 92, in _load_credentials_from_file
  8.     "File {} was not found.".format(filename)
  9. google.auth.exceptions.DefaultCredentialsError: File     {
  10.    "type": "service_account",
  11.    "project_id": "xxx",
  12.    "private_key_id": "xxx",
  13.    "private_key": "-----BEGIN PRIVATE KEY-----\nxxx\n-----END PRIVATE KEY-----\n",
  14.    "client_email": "xx",
  15.    "client_id": "",
  16.    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  17.    "token_uri": "https://oauth2.googleapis.com/token",
  18.    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  19.    "client_x509_cert_url": "xxx"
  20. }
  21.  was not found.

我感到困惑,因为错误中引用了文件本身,所以我假设它已经找到了它,但它不认识它作为一个有效的服务身份验证文件。

非常感谢所有的帮助和指导。 DefaultCredentialsError在尝试收集Google存储的Google默认凭据时发生。

英文:

I am attempting to upload a file to a Google cloud storage bucket from a service running on a Kubernetes pod. This requires authentication for the Google storage and so I have created a json authentication file from the console.

This json file is saved as a secret on my kubernetes environment and is referenced in the deploy.yaml through the environment variable GOOGLE_APPLICATION_CREDENTIALS.

The format appears like this:

  1. {
  2.   &quot;type&quot;: &quot;service_account&quot;,
  3.   &quot;project_id&quot;: &quot;xxx&quot;,
  4.   &quot;private_key_id&quot;: &quot;xxx&quot;,
  5.   &quot;private_key&quot;: &quot;-----BEGIN PRIVATE KEY-----\nxxx\n-----END PRIVATE KEY-----\n&quot;,
  6.   &quot;client_email&quot;: &quot;xx&quot;,
  7.   &quot;client_id&quot;: &quot;&quot;,
  8.   &quot;auth_uri&quot;: &quot;https://accounts.google.com/o/oauth2/auth&quot;,
  9.   &quot;token_uri&quot;: &quot;https://oauth2.googleapis.com/token&quot;,
  10.   &quot;auth_provider_x509_cert_url&quot;: &quot;https://www.googleapis.com/oauth2/v1/certs&quot;,
  11.   &quot;client_x509_cert_url&quot;: &quot;xxx&quot;
  12. }

And the following code of how I am handling this authentication:

  1. import google.auth
  3. credentials, project_id = google.auth.default()
  6. bucket_name = Config.STORAGE_BUCKET_NAME
  7. client = storage.Client(project=project_id)
  8. bucket = client.get_bucket(bucket_name)

Given that locally I have logged into gcloud, I am able to upload files when testing locally. However, when deployed to Kubernetes I get the following error:

  1.  File &quot;/storage.py&quot;, line 8, in &lt;module&gt;
  2.     credentials, project_id = google.auth.default()
  3.   File &quot;/usr/local/lib/python3.6/dist-packages/google/auth/_default.py&quot;, line 308, in default
  4.     credentials, project_id = checker()
  5.   File &quot;/usr/local/lib/python3.6/dist-packages/google/auth/_default.py&quot;, line 166, in _get_explicit_environ_credentials
  6.     os.environ[environment_vars.CREDENTIALS]
  7.   File &quot;/usr/local/lib/python3.6/dist-packages/google/auth/_default.py&quot;, line 92, in _load_credentials_from_file
  8.     &quot;File {} was not found.&quot;.format(filename)
  9. google.auth.exceptions.DefaultCredentialsError: File     {
  10.   &quot;type&quot;: &quot;service_account&quot;,
  11.   &quot;project_id&quot;: &quot;xxx&quot;,
  12.   &quot;private_key_id&quot;: &quot;xxx&quot;,
  13.   &quot;private_key&quot;: &quot;-----BEGIN PRIVATE KEY-----\nxxx\n-----END PRIVATE KEY-----\n&quot;,
  14.   &quot;client_email&quot;: &quot;xx&quot;,
  15.   &quot;client_id&quot;: &quot;&quot;,
  16.   &quot;auth_uri&quot;: &quot;https://accounts.google.com/o/oauth2/auth&quot;,
  17.   &quot;token_uri&quot;: &quot;https://oauth2.googleapis.com/token&quot;,
  18.   &quot;auth_provider_x509_cert_url&quot;: &quot;https://www.googleapis.com/oauth2/v1/certs&quot;,
  19.   &quot;client_x509_cert_url&quot;: &quot;xxx&quot;
  20. }
  21.  was not found.

I'm confused as it's referencing the file itself in the error so I am assuming it located it, but it does not recognize it as a valid service authentication file.

All help and pointers appreciated. DefaultCredentialsError在尝试收集Google存储的Google默认凭据时发生。

答案1

得分: 1

我认为你应该先在本地尝试这段代码,然后在Kubernetes上尝试,以检查是否与你的service_account.json文件有关:

  1. client = storage.Client.from_service_account_json('service_account.json')

或者 链接:

如果你的应用程序在Compute Engine、Kubernetes Engine、App Engine灵活环境或Cloud Functions上运行,你不需要创建自己的服务账号。Compute Engine会自动为你创建一个默认的服务账号,并且如果需要的话,你可以为每个实例分配不同的服务账号。

  1. credentials = compute_engine.Credentials()
  2. # 使用凭据创建客户端,并指定项目ID。
  3. storage_client = storage.Client(credentials=credentials, project=project)
英文:

I think you should try this code locally and then on kubernetes, to check if is a problem with your service_account.json file:

  1.     client = storage.Client.from_service_account_json(
  2.     &#39;service_account.json&#39;)

or link:

> If your application runs on Compute Engine, Kubernetes Engine, the App
> Engine flexible environment, or Cloud Functions, you don't need to
> create your own service account. Compute Engine includes a default
> service account that is automatically created for you, and you can
> assign a different service account, per-instance, if needed.

  1. credentials = compute_engine.Credentials()
  2. # Create the client using the credentials and specifying a project ID.
  3. storage_client = storage.Client(credentials=credentials, project=project)

答案2

得分: 0

我的问题最终是因为我没有在部署文件中将秘密的 JSON 密钥文件设置为卷挂载。

我是这样做的示例:

  1. - name: GOOGLE_APPLICATION_CREDENTIALS
  2.   value: /mnt/file_key/key.json
  3. .......
  5. volumeMounts:
  6. - mountPath: /mnt/file_key
  7.   name: file_key
  8.   readOnly: true
  10. .......
  12. volumes:
  13. - name: file_key
  14.   secret:
  15.     defaultMode: 420
  16.     secretName: file_key_secret
英文:

My issue ended up being that I had no set up the secret json key file as a volume mount in the deploy file.

Example of how I did it:

  1.         - name: GOOGLE_APPLICATION_CREDENTIALS
  2.           value: /mnt/file_key/key.json
  3.     .......
  5.         volumeMounts:
  6.         - mountPath: /mnt/file_key
  7.           name: file_key
  8.           readOnly: true
  10. ........
  11.       volumes:
  12.       - name: file_key
  13.         secret:
  14.           defaultMode: 420
  15.           secretName: file_key_secret

huangapple
  • 本文由 发表于 2020年1月3日 14:46:31
  • 转载请务必保留本文链接:https://go.coder-hub.com/59574296.html
  • gcloud
  • google-cloud-storage
  • kubernetes
  • python
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定