在Cloud Run中找不到默认凭据。

huangapple go评论90阅读模式
英文:

Cannot find default credentials in Cloud Run

问题

我正在编写一个使用Postgres方言与Cloud Spanner通信的程序。我的应用程序是一个gin服务器,我正在使用pgadapter进行连接,如此文档中所述。

我的应用程序在本地运行正常。但是当我部署到Cloud Run时,我得到以下日志。
在Cloud Run中找不到默认凭据。

错误基本上来自于StartPGAdapterWithCredentials函数。

func StartPGAdapter(ctx context.Context, project, instance string) (port int, cleanup func(), err error) {
	credentials, err := google.FindDefaultCredentials(ctx)
	fmt.Println("credentials " + (credentials.ProjectID) + "json " + utils.ToString(credentials.JSON) + "ts " + utils.ToString(credentials.TokenSource))
	if err != nil {
		return 0, func() {}, err
	}
	return StartPGAdapterWithCredentials(ctx, project, instance, credentials)
}
func StartPGAdapterWithCredentials(ctx context.Context, project, instance string, credentials *google.Credentials) (port int, cleanup func(), err error) {
	if credentials == nil {
		return 0, func() {}, fmt.Errorf("credentials cannot be nil")
	}
	if credentials.JSON == nil || len(credentials.JSON) == 0 {
		return 0, func() {}, fmt.Errorf("only JSON based credentials are supported")
	}
	credentialsFile, err := os.CreateTemp(os.TempDir(), "pgadapter-credentials")
	if err != nil {
		return 0, func() {}, err
	}

在我的本地系统上,GOOGLE_APPLICATION_CREDENTIALS已设置,因此它能够获取凭据。然而,在Cloud Run中,这种方式不起作用。

如何使其在Cloud Run中运行?

附加信息:按照这里的示例进行操作。

英文:

I am writing a program that speaks with Cloud Spanner in Postgres Dialect. My application is a gin server and I am using pgadapter to connect as mentioned in this doc.

My application runs fine locally. But when I deploy it to cloud run, I get the following log.
在Cloud Run中找不到默认凭据。

The error basically comes from the StartPGAdapterWithCredentials function.

func StartPGAdapter(ctx context.Context, project, instance string) (port int, cleanup func(), err error) {
	credentials, err := google.FindDefaultCredentials(ctx)
	fmt.Println("credentials " + (credentials.ProjectID) + "json " + utils.ToString(credentials.JSON) + "ts " + utils.ToString(credentials.TokenSource))
	if err != nil {
		return 0, func() {}, err
	}
	return StartPGAdapterWithCredentials(ctx, project, instance, credentials)
}
func StartPGAdapterWithCredentials(ctx context.Context, project, instance string, credentials *google.Credentials) (port int, cleanup func(), err error) {
	if credentials == nil {
		return 0, func() {}, fmt.Errorf("credentials cannot be nil")
	}
	if credentials.JSON == nil || len(credentials.JSON) == 0 {
		return 0, func() {}, fmt.Errorf("only JSON based credentials are supported")
	}
	credentialsFile, err := os.CreateTemp(os.TempDir(), "pgadapter-credentials")
	if err != nil {
		return 0, func() {}, err
	}

On my local system, GOOGLE_APPLICATION_CREDENTIALS is set and hence it is able to get the credentials. However, this is not working in cloud run.

How do I get it to run in cloud run?

Additional Info : followed the example present here.

答案1

得分: 2

看起来你正在尝试在Cloud Run上的嵌入式容器中启动PGAdapter,并将服务账号凭据从环境中复制到PGAdapter的嵌入式容器中。问题在于,Cloud Run不提供对底层服务账号文件的访问权限。相反,你应该让Google Cloud库获取环境的默认凭据。

你的示例中的困难部分在于你正在嵌入式容器中启动PGAdapter,这意味着该环境中没有默认凭据。在Cloud Run上运行PGAdapter的推荐方式是将其包含在主容器中。这样,PGAdapter就可以获取Cloud Run提供的默认凭据。这意味着在启动PGAdapter时,你不应该指定-c /path/to/credentials.json参数。

你可以通过以下两种方式将PGAdapter包含在主容器中:

  1. 将Java的.jar文件构建添加到你的Docker镜像中,并在容器中启动PGAdapter。参考这个示例了解如何直接从.jar文件启动PGAdapter。这还需要在Docker镜像中添加Java JRE。
  2. 让你的Docker构建扩展PGAdapter基础Docker镜像。这将自动包含PGAdapter所需的所有依赖项。你需要覆盖基础镜像的ENTRYPOINT

参考PGAdapter Cloud Run Sample for Go了解更详细的示例(可运行的)以了解后一种选项。

英文:

It seems that you are trying to start PGAdapter in an embedded container on Cloud Run, and then copy the service account credentials from your environment to the PGAdapter embedded container. The problem is that Cloud Run does not provide access to the underlying service account file. Instead, you should just let the Google Cloud libraries get the default credentials of the environment.

The difficult part in your example is that you are starting PGAdapter in an embedded container, which means that there are no default credentials in that environment. The recommended way to run PGAdapter on Cloud Run is to include it in your main container. That will make it possible for PGAdapter to just fetch the default credentials that are provided by Cloud Run. That means that you should not specify the -c /path/to/credentials.json argument when starting PGAdapter.

There are (at least) two ways that you can include PGAdapter in your main container:

  1. Add the Java .jar file build to your Docker image and start PGAdapter in your container. See [this example] for how to start PGAdapter directly from .jar files. This also requires you to add a Java JRE to your Docker image.
  2. Let your Docker build extend the PGAdapter base Docker image. This will automatically include all dependencies that are needed for PGAdapter. You will have to override the ENTRYPOINT of the base image.

See PGAdapter Cloud Run Sample for Go for an extensive (runnable) sample for the latter option.

huangapple
  • 本文由 发表于 2023年4月4日 20:36:12
  • 转载请务必保留本文链接:https://go.coder-hub.com/75929468.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定