DefaultCredentialsError在尝试收集Google存储的Google默认凭据时发生。

huangapple go评论84阅读模式
英文:

DefaultCredentialsError when trying to collect Google default credentials for Google storage

问题

我正试图从运行在Kubernetes Pod上的服务上传文件到Google云存储存储桶。这需要对Google存储进行身份验证,因此我从控制台创建了一个JSON身份验证文件。

这个JSON文件保存为我的Kubernetes环境中的一个密钥,并通过环境变量GOOGLE_APPLICATION_CREDENTIALSdeploy.yaml中引用。

格式如下:

{
   "type": "service_account",
   "project_id": "xxx",
   "private_key_id": "xxx",
   "private_key": "-----BEGIN PRIVATE KEY-----\nxxx\n-----END PRIVATE KEY-----\n",
   "client_email": "xx",
   "client_id": "",
   "auth_uri": "https://accounts.google.com/o/oauth2/auth",
   "token_uri": "https://oauth2.googleapis.com/token",
   "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
   "client_x509_cert_url": "xxx"
}

以下是我如何处理这个身份验证的代码:

import google.auth

credentials, project_id = google.auth.default()

bucket_name = Config.STORAGE_BUCKET_NAME
client = storage.Client(project=project_id)
bucket = client.get_bucket(bucket_name)

在本地登录到gcloud后,我可以在本地测试时上传文件。但是,当部署到Kubernetes时,我收到以下错误:

File "/storage.py", line 8, in <module>
    credentials, project_id = google.auth.default()
  File "/usr/local/lib/python3.6/dist-packages/google/auth/_default.py", line 308, in default
    credentials, project_id = checker()
  File "/usr/local/lib/python3.6/dist-packages/google/auth/_default.py", line 166, in _get_explicit_environ_credentials
    os.environ[environment_vars.CREDENTIALS]
  File "/usr/local/lib/python3.6/dist-packages/google/auth/_default.py", line 92, in _load_credentials_from_file
    "File {} was not found.".format(filename)
google.auth.exceptions.DefaultCredentialsError: File     {
   "type": "service_account",
   "project_id": "xxx",
   "private_key_id": "xxx",
   "private_key": "-----BEGIN PRIVATE KEY-----\nxxx\n-----END PRIVATE KEY-----\n",
   "client_email": "xx",
   "client_id": "",
   "auth_uri": "https://accounts.google.com/o/oauth2/auth",
   "token_uri": "https://oauth2.googleapis.com/token",
   "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
   "client_x509_cert_url": "xxx"
}
 was not found.

我感到困惑,因为错误中引用了文件本身,所以我假设它已经找到了它,但它不认识它作为一个有效的服务身份验证文件。

非常感谢所有的帮助和指导。 DefaultCredentialsError在尝试收集Google存储的Google默认凭据时发生。

英文:

I am attempting to upload a file to a Google cloud storage bucket from a service running on a Kubernetes pod. This requires authentication for the Google storage and so I have created a json authentication file from the console.

This json file is saved as a secret on my kubernetes environment and is referenced in the deploy.yaml through the environment variable GOOGLE_APPLICATION_CREDENTIALS.

The format appears like this:

{
  &quot;type&quot;: &quot;service_account&quot;,
  &quot;project_id&quot;: &quot;xxx&quot;,
  &quot;private_key_id&quot;: &quot;xxx&quot;,
  &quot;private_key&quot;: &quot;-----BEGIN PRIVATE KEY-----\nxxx\n-----END PRIVATE KEY-----\n&quot;,
  &quot;client_email&quot;: &quot;xx&quot;,
  &quot;client_id&quot;: &quot;&quot;,
  &quot;auth_uri&quot;: &quot;https://accounts.google.com/o/oauth2/auth&quot;,
  &quot;token_uri&quot;: &quot;https://oauth2.googleapis.com/token&quot;,
  &quot;auth_provider_x509_cert_url&quot;: &quot;https://www.googleapis.com/oauth2/v1/certs&quot;,
  &quot;client_x509_cert_url&quot;: &quot;xxx&quot;
}

And the following code of how I am handling this authentication:

import google.auth

credentials, project_id = google.auth.default()


bucket_name = Config.STORAGE_BUCKET_NAME
client = storage.Client(project=project_id)
bucket = client.get_bucket(bucket_name)

Given that locally I have logged into gcloud, I am able to upload files when testing locally. However, when deployed to Kubernetes I get the following error:

 File &quot;/storage.py&quot;, line 8, in &lt;module&gt;
    credentials, project_id = google.auth.default()
  File &quot;/usr/local/lib/python3.6/dist-packages/google/auth/_default.py&quot;, line 308, in default
    credentials, project_id = checker()
  File &quot;/usr/local/lib/python3.6/dist-packages/google/auth/_default.py&quot;, line 166, in _get_explicit_environ_credentials
    os.environ[environment_vars.CREDENTIALS]
  File &quot;/usr/local/lib/python3.6/dist-packages/google/auth/_default.py&quot;, line 92, in _load_credentials_from_file
    &quot;File {} was not found.&quot;.format(filename)
google.auth.exceptions.DefaultCredentialsError: File     {
  &quot;type&quot;: &quot;service_account&quot;,
  &quot;project_id&quot;: &quot;xxx&quot;,
  &quot;private_key_id&quot;: &quot;xxx&quot;,
  &quot;private_key&quot;: &quot;-----BEGIN PRIVATE KEY-----\nxxx\n-----END PRIVATE KEY-----\n&quot;,
  &quot;client_email&quot;: &quot;xx&quot;,
  &quot;client_id&quot;: &quot;&quot;,
  &quot;auth_uri&quot;: &quot;https://accounts.google.com/o/oauth2/auth&quot;,
  &quot;token_uri&quot;: &quot;https://oauth2.googleapis.com/token&quot;,
  &quot;auth_provider_x509_cert_url&quot;: &quot;https://www.googleapis.com/oauth2/v1/certs&quot;,
  &quot;client_x509_cert_url&quot;: &quot;xxx&quot;
}
 was not found.

I'm confused as it's referencing the file itself in the error so I am assuming it located it, but it does not recognize it as a valid service authentication file.

All help and pointers appreciated. DefaultCredentialsError在尝试收集Google存储的Google默认凭据时发生。

答案1

得分: 1

我认为你应该先在本地尝试这段代码,然后在Kubernetes上尝试,以检查是否与你的service_account.json文件有关:

client = storage.Client.from_service_account_json('service_account.json')

或者 链接:

如果你的应用程序在Compute Engine、Kubernetes Engine、App Engine灵活环境或Cloud Functions上运行,你不需要创建自己的服务账号。Compute Engine会自动为你创建一个默认的服务账号,并且如果需要的话,你可以为每个实例分配不同的服务账号。

credentials = compute_engine.Credentials()
# 使用凭据创建客户端,并指定项目ID。
storage_client = storage.Client(credentials=credentials, project=project)
英文:

I think you should try this code locally and then on kubernetes, to check if is a problem with your service_account.json file:

    client = storage.Client.from_service_account_json(
    &#39;service_account.json&#39;) 

or link:

> If your application runs on Compute Engine, Kubernetes Engine, the App
> Engine flexible environment, or Cloud Functions, you don't need to
> create your own service account. Compute Engine includes a default
> service account that is automatically created for you, and you can
> assign a different service account, per-instance, if needed.

credentials = compute_engine.Credentials()
# Create the client using the credentials and specifying a project ID.
storage_client = storage.Client(credentials=credentials, project=project)

答案2

得分: 0

我的问题最终是因为我没有在部署文件中将秘密的 JSON 密钥文件设置为卷挂载。

我是这样做的示例:

- name: GOOGLE_APPLICATION_CREDENTIALS
  value: /mnt/file_key/key.json
.......

volumeMounts:
- mountPath: /mnt/file_key
  name: file_key
  readOnly: true

.......

volumes:
- name: file_key
  secret:
    defaultMode: 420
    secretName: file_key_secret
英文:

My issue ended up being that I had no set up the secret json key file as a volume mount in the deploy file.

Example of how I did it:

        - name: GOOGLE_APPLICATION_CREDENTIALS
          value: /mnt/file_key/key.json
    .......

        volumeMounts:
        - mountPath: /mnt/file_key
          name: file_key
          readOnly: true

........
      volumes:
      - name: file_key
        secret:
          defaultMode: 420
          secretName: file_key_secret

huangapple
  • 本文由 发表于 2020年1月3日 14:46:31
  • 转载请务必保留本文链接:https://go.coder-hub.com/59574296.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定