英文:
gcloud auth application-default print-access-token not finding my environment variable
问题
我在按照[这里](https://cloud.google.com/text-to-speech/docs/create-audio-text-command-line)描述的步骤使用curl进行Google Cloud Text to Speech工作。
我有一个具有其密钥的服务帐户在google-credentials.json中(这目前适用于Google Cloud Storage)。
在终端中,我以两种不同的方式设置了GOOGLE_APPLICATION_CREDENTIALS环境变量:
1) 在应用程序工作目录中,我将其设置为:
GOOGLE_APPLICATION_CREDENTIALS="google-credentials.json"
或者
2) 设置绝对路径
GOOGLE_APPLICATION_CREDENTIALS="~/Projects/dbsan2/google-credentials.json"
运行
echo $GOOGLE_APPLICATION_CREDENTIALS
返回我设置的给定值。
按照上述文章中的说明运行以下命令:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://texttospeech.googleapis.com/v1/text:synthesize"
警告:尝试1的时候计算引擎元数据服务器不可用。原因:超时
警告:尝试2的时候计算引擎元数据服务器不可用。原因:超时
警告:尝试3的时候计算引擎元数据服务器不可用。原因:[Errno 64] 主机关闭
错误:(gcloud.auth.application-default.print-access-token) 无法自动确定凭据。请设置GOOGLE_APPLICATION_CREDENTIALS或显式创建凭据并重新运行应用程序。有关更多信息,请参见https://cloud.google.com/docs/authentication/getting-started
{
"error": {
"code": 403,
"message": "The request is missing a valid API key.",
"status": "PERMISSION_DENIED"
}
}
我做错了什么?
英文:
I am working on following the steps for Google Cloud Text to Speech via curl as described here.
I have a Service Account with its key in google-credentials.json (this currently works for Google Cloud Storage).
in Terminal I set the GOOGLE_APPLICATION_CREDENTIALS environment variable two different ways:
-
While within the application working directory, I set it to:
GOOGLE_APPLICATION_CREDENTIALS="google-credentials.json"
or
-
Setting the absolute path
GOOGLE_APPLICATION_CREDENTIALS="~/Projects/dbsan2/google-credentials.json"
Performaning
echo $GOOGLE_APPLICATION_CREDENTIALS
returns the given value I set it to.
Running nano $GOOGLE_APPLICATION_CREDENTIALS only opens the file for the first approach, the second opens a blank document.
running the following command as described in the article above:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://texttospeech.googleapis.com/v1/text:synthesize"
WARNING: Compute Engine Metadata server unavailable on attempt 1 of 3. Reason: timed out
WARNING: Compute Engine Metadata server unavailable on attempt 2 of 3. Reason: timed out
WARNING: Compute Engine Metadata server unavailable on attempt 3 of 3. Reason: [Errno 64] Host is down
ERROR: (gcloud.auth.application-default.print-access-token) Could not automatically determine credentials. Please set GOOGLE_APPLICATION_CREDENTIALS or explicitly create credentials and re-run the application. For more information, please see https://cloud.google.com/docs/authentication/getting-started
{
"error": {
"code": 403,
"message": "The request is missing a valid API key.",
"status": "PERMISSION_DENIED"
}
}
What am I doing wrong?
答案1
得分: 2
不使用服务帐号密钥文件。这是一个安全的不良实践。即使在谷歌云文档中提到(我已经与谷歌争论多年!!)
确实,Jordi的回答有效,但你必须知道为什么。
在CURL命令中
curl -X POST \
-H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://texttospeech.googleapis.com/v1/text:synthesize"
你不使用服务帐号,而是使用当前登录的用户。显然,你的当前用户未经过身份验证。
你可以执行gcloud auth application-default login进行身份验证。你还可以使用替代方法冒充服务帐号(如果你更喜欢使用服务帐号角色/权限)gcloud auth application-default login --impersonate-service-account=<service account email>
然而,这个解决方案可能无法与你的curl一起工作。实际上,用户与特定项目不关联,(而服务帐号是关联的)。
有一种解决方法可以修复这个问题,而无需使用服务帐号密钥文件。你必须添加一个额外的头部x-goog-user-project,以获得以下效果
curl -X POST \
-H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-H "x-goog-user-project: <Your Project ID with Text to Speech API activated>" \
-d @request.json \
"https://texttospeech.googleapis.com/v1/text:synthesize"
英文:
Do not use a service account key file. It's a security bad practice. AND EVEN IF IT'S MENTIONED IN THE GOOGLE CLOUD DOCUMENTATION (and I'm fighting against that and Google for years now!!)
Indeed, the Jordi answer works, but you have to know why.
In the CURL command
curl -X POST \
-H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://texttospeech.googleapis.com/v1/text:synthesize"
You don't use the service account, you use the current logged user. Apparently your current user is not authenticated.
You can perform a gcloud auth application-default login to authenticate yourselves. You can also use the alternative to impersonate a service account (if you prefer using the service account roles/permissions) gcloud auth application-default login --impersonate-service-account=<service account email>
However this solution could not work with your curl. Indeed, a user is not linked to a specific project, (as a service account is).
There is a solution to fix that, without using a service account key file. You have to add an additional header x-goog-user-project, to obtain that
curl -X POST \
-H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-H "x-goog-user-project: <Your Project ID with Text to Speech API activated>" \
-d @request.json \
"https://texttospeech.googleapis.com/v1/text:synthesize"
答案2
得分: 0
这个问题可能与双引号的使用有关。我会设置成这样:
export GOOGLE_APPLICATION_CREDENTIALS=~/Projects/dbsan2/google-credentials.json
还要确保将其设置为系统范围的环境变量,而不是限定在用户会话中。
英文:
This issue might be related to the use of double quotation marks. I would set it like this:
export GOOGLE_APPLICATION_CREDENTIALS=~/Projects/dbsan2/google-credentials.json
Also make sure that you are setting it as a system wide env variable and not a limited user session one.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论