Why Google Cloud Storage isn't taking my GOOGLE_APPLICATION_CREDENTIALS environment variable [HEROKU]?

huangapple go评论85阅读模式
英文:

Why Google Cloud Storage isn't taking my GOOGLE_APPLICATION_CREDENTIALS environment variable [HEROKU]?

问题

我正在使用Spring Boot开发一个POC网站,以了解GCP产品,特别是Google Cloud Storage。背景是,我正在尝试在用户注册时保存个人资料图片。

根据Google文档,我可以使用以下代码验证我的凭据,如果我在环境变量中设置了GOOGLE_APPLICATION_CREDENTIALS:

StorageOptions.getDefaultInstance().getService();

事实是,我的确在环境变量中设置了GOOGLE_APPLICATION_CREDENTIALS(我使用的是Linux Mint),并且它指向了我的.json文件(使用路径方法可以正常工作)。但是,它总是从GCP库返回401 UNAUTHORIZED错误。

在花了几个小时进行搜索后,为了确保我在终端上运行了这条命令:

gcloud auth application-default login

这个命令的响应是:

环境变量[GOOGLE_APPLICATION_CREDENTIALS]已设置为:
  [/home/<myuser>/<some_folder>/<myapplication>-<id>.json]
凭据仍将生成到默认位置:
  [/home/<myuser>/.config/gcloud/application_default_credentials.json]
要使用这些凭据,请在运行应用程序之前取消设置此环境变量。

您要继续吗(Y/n)?

确认并使用浏览器登录后,令人惊讶的是,使用 StorageOptions.getDefaultInstance().getService(); 能够正常工作。

所以我猜测GCP从application_default_credentials文件中获取凭据,而不是从GOOGLE_APPLICATION_CREDENTIALS环境变量中获取。

因此,在我的本地环境中,一切正常。 问题是:这个网站部署在Heroku上,我不能使用path方法,因为我不想将这些凭据放在GitHub上。
我已经在Heroku上设置了环境变量,但没有起作用。
我还尝试过使用以下这些构建包:

https://github.com/elishaterada/heroku-google-application-credentials-buildpack
https://github.com/gerywahyunugraha/heroku-google-application-credentials-buildpack

但是在Heroku云上无法使其正常工作。有人知道我如何在遵循12factor规则的情况下使其正常运行吗?

英文:

I'm developing a POC website with Spring Boot to learn about GCP products, in specific Google Cloud Storage. The context is I am trying to save a profile picture when a user is registered.

From Google documentation, I can use

StorageOptions.getDefaultInstance().getService();

to validate my credentials if I have GOOGLE_APPLICATION_CREDENTIALS on my environment variables. The fact is, I do have GOOGLE_APPLICATION_CREDENTIALS as an environment variable (I'm using Linux Mint) pointing to my .json file (that is valid because using the path method it works), but it always returns 401 UNAUTHORIZED from GCP lib.

After spending HOURS searching, just to make sure I run this command on terminal:

gcloud auth application-default login

The response from this command is:

The environment variable [GOOGLE_APPLICATION_CREDENTIALS] is set to:
  [/home/&lt;myuser&gt;/&lt;some_folder&gt;/&lt;myapplication&gt;-&lt;id&gt;.json]
Credentials will still be generated to the default location:
  [/home/&lt;myuser&gt;/.config/gcloud/application_default_credentials.json]
To use these credentials, unset this environment variable before
running your application.

Do you want to continue (Y/n)?

After confirming and login with my browser, to my surprise it worked using StorageOptions.getDefaultInstance().getService();

So I'm assuming that GCP takes credentials from application_default_credentials file instead of the GOOGLE_APPLICATION_CREDENTIALS env var.

So on my local environment, it's working fine. The problem is: This website is deployed on Heroku and I can't use the path method because I don't want to put this credentials on GitHub.
I already put the environment variables at Heroku and didn't work.
Already tried to use these buildpacks too:

https://github.com/elishaterada/heroku-google-application-credentials-buildpack
https://github.com/gerywahyunugraha/heroku-google-application-credentials-buildpack

but I can't get it to work when on Heroku Cloud. Someone knows a way I can make this run using the 12factor rules, please?

答案1

得分: 1

为了传递凭据,您可以通过环境变量进行,实际上这就是您提到的方式。在Linux中,您应该使用以下命令:

export GOOGLE_APPLICATION_CREDENTIALS="[PATH]"

然而,需要注意的是,这个变量仅适用于您当前的 shell 会话,因此如果您打开一个新会话,需要重新设置这个变量。

另一方面,执行此任务的另一个选项是通过代码传递凭据,正如您在分享的链接中所见,您应该使用类似下面的代码:

GoogleCredentials credentials = GoogleCredentials.fromStream(new FileInputStream(jsonPath))
        .createScoped(Lists.newArrayList("https://www.googleapis.com/auth/cloud-platform"));
Storage storage = StorageOptions.newBuilder().setCredentials(credentials).build().getService();

最后,如果您不想在应用程序代码中指定凭据,您可以使用Cloud Key Management Service。我认为KMS是您的情况下一个不错的选择,但最终决定还是取决于您。

英文:

In order to pass credentials you can do it via environment variables, that in fact is the one you are mentioning. To do it in Linux you should use the below command

export GOOGLE_APPLICATION_CREDENTIALS=&quot;[PATH]&quot;

Nevertheless, something to keep in mind is that this variable only applies to your current shell session, so if you open a new session, set the variable again.

On the other hand, another option for perform this task is passing credentials using code, and as you can see in the shared link you should use something like below.

GoogleCredentials credentials = GoogleCredentials.fromStream(new FileInputStream(jsonPath))
        .createScoped(Lists.newArrayList(&quot;https://www.googleapis.com/auth/cloud-platform&quot;));
  Storage storage = StorageOptions.newBuilder().setCredentials(credentials).build().getService();

Finally, in case you do not want to point the credentials inside of your applications's code, you can use Cloud Key Management Service. I think that KMS is a good option for your case but at the end, you should make the decision.

huangapple
  • 本文由 发表于 2020年9月17日 01:58:26
  • 转载请务必保留本文链接:https://go.coder-hub.com/63925550.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定