英文:
Gcloud - How to use a service-account and a user account from the same machine?
问题
I have created a service account for a coworker to upload files into my GCP bucket. I shared the service account credentials and the coworker activated them with the gcloud auth
command.
$ gcloud auth activate-service-account --key-file bucket-creds.json
Activated service account credentials for: [upload@my-bucket.iam.gserviceaccount.com]
The account was validated with gcloud auth list:
$ gcloud auth list
ACTIVE ACCOUNT Credentialed Accounts
useraccount@company.com
* upload@my-bucket.iam.gserviceaccount.com
Now, when my coworker goes to upload something into my bucket with gsutil cp
, they receive an error about having multiple credential types.
$ gsutil cp example.file gs://my-bucket/
CommandException: You have multiple types of configured credentials (['Oauth 2.0 User Account', 'OAuth 2.0 Service Account']), which is not supported. One common way this happens is if you run gsutil config to create credentials and later run gcloud auth, and create a second set of credentials. Your boto config path is: ['/data/home/user/.boto', '/data/home/user/.config/gcloud/legacy_credentials/upload@my-bucket.iam.gserviceaccount.com/.boto']. For more help, see "gsutil help creds".
I'm very confused at why gsutil is unable to handle multiple types of credentials. If the service account has been activated with gcloud auth, why is the gsutil cp
command unable to use the credentials just because there are also other credentials available? Is it expected that we should delete the original user credentials and just use the service account credentials?
I have read the other questions on this topic and found them unhelpful. I understand there may be a need to change some environment variables, but I'm unsure how we should do this and if we will be able to retain the functionality of the original user account after the upload is completed. Is anyone able to explain why this does not work? I have had no issues in the past using user accounts AND service accounts during the same session, so long as the gcloud auth
command was executed before other commands.
My coworker tried logging back into their user account and initiating the upload, unsurprisingly this didn't work as their user account does not have the required permissions while the service account does.
$ gcloud config set account useraccount@company.com
$ gsutil cp example.file gs://my-bucket/
ResumableUploadAbortException: 403 useraccount@company.com does not have storage.objects.create access to the Google Cloud Storage object. Permission 'storage.objects.create' denied on resource (or it may not exist).
英文:
I have created a service account for a coworker to upload files into my GCP bucket. I shared the service account credentials and the coworker activated them with the gcloud auth
command.
$ gcloud auth activate-service-account --key-file bucket-creds.json
Activated service account credentials for: [upload@my-bucket.iam.gserviceaccount.com]
The account was validated with gcloud auth list:
$ gcloud auth list
ACTIVE ACCOUNT Credentialed Accounts
useraccount@company.com
* upload@my-bucket.iam.gserviceaccount.com
Now, when my coworker goes to upload something into my bucket with gsutil cp
, they receive an error about having multiple credential types.
$ gsutil cp example.file gs://my-bucket/
Copying file://example.file [Content-Type=application/x-tar]...
CommandException: You have multiple types of configured credentials (['Oauth 2.0 User Account', 'OAuth 2.0 Service Account']), which is not supported. One common way this happens is if you run gsutil config to create credentials and later run gcloud auth, and create a second set of credentials. Your boto config path is: ['/data/home/user/.boto', '/data/home/user/.config/gcloud/legacy_credentials/upload@my-bucket.iam.gserviceaccount.com/.boto']. For more help, see "gsutil help creds".
I'm very confused at why gsutil is unable to handle multiple types of credentials. If the service account has been activated with gcloud auth, why is the gsutil cp
command unable to use the credentials just because there are also other credentials available? Is it expected that we should delete the original user credentials and just use the service account credentials?
I have read the other questions on this topic and found them unhelpful. I understand there may be a need to change some environment variables, but I'm unsure how we should do this and if we will be able to retain the functionality of the original user account after the upload is completed. Is anyone able to explain why this does not work? I have had no issues in the past using user accounts AND service accounts during the same session, so long as the gcloud auth
command was executed before other commands. .
My coworker tried logging back into their user account and initiating the upload, unsurprisingly this didn't work as their user account does not have the required permissions while the service account does.
$ gcloud config set account useraccount@company.com
Updated property [core/account].
$ gsutil cp example.file gs://my-bucket/
Copying file://example.file [Content-Type=application/x-tar]...
ResumableUploadAbortException: 403 useraccount@company.com does not have storage.objects.create access to the Google Cloud Storage object. Permission 'storage.objects.create' denied on resource (or it may not exist).
答案1
得分: 1
系统配置错误。建议运行 gcloud auth revoke
直到没有更多的凭据被授权。运行 gsutil ls
并验证 gsutil
未被授权。运行 gcloud init
。然后运行 gcloud auth activate-service-account
。
如果要配置 gsutil
以使用服务账号而不是由 gcloud
配置的凭据,请运行以下两个命令:
gcloud config set pass_credentials_to_gsutil false
gsutil config -e
将要求输入服务账号 JSON 密钥文件的完整路径。
英文:
Something is misconfigured on your system. I recommend running gcloud auth revoke
until no more credentials are authorized. Run gsutil ls
and verify that gsutil
is not authorized. Run gcloud init
. Then run gcloud auth activate-service-account
.
If you want to configure gsutil
to use a service account instead of the credentials configured by gcloud
run the following two commands:
gcloud config set pass_credentials_to_gsutil false
gsutil config -e
You will be prompted for the full path to the service account JSON key file.
答案2
得分: 1
gsutil 不定义任何凭证优先级,因此如果发现多种类型的凭证存在,它不知道应该使用哪一个。
错误是准确的 - 它显示您的主目录中有一个为独立 (非 gcloud) gsutil 安装创建的 boto 文件,以及由 gcloud 创建的一个用于服务帐户的 boto 文件。您应该选择一种 gsutil 安装方法并坚持使用 - 要么使用独立 gsutil,要么安装 gcloud 并使用其中包含的 gsutil 安装程序。混用这两者通常会导致配置错误,就像这样。
如果使用 gcloud 预装的 gsutil 安装程序,您应该删除为独立 gsutil 使用创建的配置文件 (即主目录中的一个),只使用 gcloud 来配置您的活动帐户和相关凭证 (实际上,这只是让 gcloud 告诉 gsutil 应加载哪个 boto 配置)。
英文:
gsutil does not define any credential precedence, so if it finds multiple types of credentials present, it doesn't know which should be used.
The error is accurate -- it shows that you have a boto file in your home directory that was created for use with a standalone (non-gcloud) gsutil installation, as well as a boto file that was created by gcloud (the one for the service account). You should choose one gsutil installation method and stick with it -- either use standalone gsutil, or install gcloud and use the gsutil installation included with that. Mixing the two often results in configuration errors like this.
If using a gcloud-bundled gsutil installation, you should delete the config file(s) that were created for use with standalone gsutil (i.e. the one in your home directory), and just use gcloud to configure your active account and associated credentials (which, under the hood, actually just makes gcloud tell gsutil which boto config it should load).
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论