英文:
Unable to sign GCS URL with gcloud default login
问题
我正在使用cloud.google.com/go/storage
库来与我们的GCS实例进行通信,目前正在开发一个Golang后端。目前,我正在使用该库来签署URL并将媒体上传到我们的实例。然而,为了进行本地开发,我希望避免下载服务帐号密钥文件并显式设置GOOGLE_APPLICATION_CREDENTIALS
环境变量。为了实现这一点,我按照参考文档提供了我的用户凭据用于ADC。
使用新的ADC配置上传媒体工作正常。然而,当尝试使用以下代码片段签署URL时:
u, err := client.Bucket(bucket).SignedURL(object, &storage.SignedURLOptions{
Method: http.MethodGet,
Expires: time.Now().Add(365 * 24 * time.Hour),
})
我收到了一个错误消息:
storage: unable to detect default GoogleAccessID: storage: empty client email in credentials
这个错误消息让人困惑,因为我在执行代码之前使用gcloud auth application-default login
进行了身份验证。可能的问题是什么,我该如何解决?
编辑:
我尝试添加--impersonate-service-account
标志,指向具有令牌创建权限的服务帐号,但似乎也不起作用。
英文:
I am working on a Golang backend and using the cloud.google.com/go/storage
library to communicate with our GCS instance. Currently, I am using this library to sign URLs and upload media to our instance. However, I would like to avoid downloading the service account key file and explicitly setting the GOOGLE_APPLICATION_CREDENTIALS
environment variable for local development purposes. To achieve this, I followed the referenced documentation to provide my user credentials for ADC.
Uploading media works fine using the new ADC configuration. However, when attempting to sign a URL using the following code snippet:
u, err := client.Bucket(bucket).SignedURL(object, &storage.SignedURLOptions{
Method: http.MethodGet,
Expires: time.Now().Add(365 * 24 * time.Hour),
})
I receive an error message:
storage: unable to detect default GoogleAccessID: storage: empty client email in credentials
This error message is puzzling since I authenticated using gcloud auth application-default login
before executing the code. What could be the problem here, and how can I fix it?
Edit:
I tried to add the --impersonate-service-account
flag pointing to a service account with token creation permissions, but that doesn't seem to work either.
答案1
得分: 0
显然,这个问题在最近的cloud.google.com/go/storage
版本中得到了解决(我在GitHub的讨论中读到了这个问题,但由于某种原因无法找到链接)。您必须附加一个服务账号以签署URL,并且该库现在能够获取与模拟相关联的GoogleAccessID
。升级到v1.29.0
并使用gcloud auth application-default login --impersonate-service-account=<SERVICE_ACCOUNT>
进行身份验证后,一切似乎都正常工作。确保您的用户账号在服务账号下被分配了"service account token creator"角色。
英文:
Apparently, this issue was resolved in a recent version of cloud.google.com/go/storage
(I read about it in a GitHub discussion but can no longer find a link for some reason). You must have a service account attached to sign URLs, and the library is now able to pick up the GoogleAccessID
associated with impersonation. After upgrading to v1.29.0
and authenticating using gcloud auth application-default login --impersonate-service-account=<SERVICE_ACCOUNT>
, everything seems to work properly. Make sure your user account has the "service account token creator" role assigned to it under the service account.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论