如何在同一台机器上使用服务帐户和用户帐户?

huangapple go评论64阅读模式
英文:

Gcloud - How to use a service-account and a user account from the same machine?

问题

I have created a service account for a coworker to upload files into my GCP bucket. I shared the service account credentials and the coworker activated them with the gcloud auth command.

$ gcloud auth activate-service-account --key-file bucket-creds.json
Activated service account credentials for: [upload@my-bucket.iam.gserviceaccount.com]

The account was validated with gcloud auth list:

$ gcloud auth list

ACTIVE ACCOUNT Credentialed Accounts
useraccount@company.com
* upload@my-bucket.iam.gserviceaccount.com

Now, when my coworker goes to upload something into my bucket with gsutil cp, they receive an error about having multiple credential types.

$ gsutil cp example.file gs://my-bucket/

CommandException: You have multiple types of configured credentials (['Oauth 2.0 User Account', 'OAuth 2.0 Service Account']), which is not supported. One common way this happens is if you run gsutil config to create credentials and later run gcloud auth, and create a second set of credentials. Your boto config path is: ['/data/home/user/.boto', '/data/home/user/.config/gcloud/legacy_credentials/upload@my-bucket.iam.gserviceaccount.com/.boto']. For more help, see "gsutil help creds".

I'm very confused at why gsutil is unable to handle multiple types of credentials. If the service account has been activated with gcloud auth, why is the gsutil cp command unable to use the credentials just because there are also other credentials available? Is it expected that we should delete the original user credentials and just use the service account credentials?

I have read the other questions on this topic and found them unhelpful. I understand there may be a need to change some environment variables, but I'm unsure how we should do this and if we will be able to retain the functionality of the original user account after the upload is completed. Is anyone able to explain why this does not work? I have had no issues in the past using user accounts AND service accounts during the same session, so long as the gcloud auth command was executed before other commands.

My coworker tried logging back into their user account and initiating the upload, unsurprisingly this didn't work as their user account does not have the required permissions while the service account does.

$ gcloud config set account useraccount@company.com

$ gsutil cp example.file gs://my-bucket/

ResumableUploadAbortException: 403 useraccount@company.com does not have storage.objects.create access to the Google Cloud Storage object. Permission 'storage.objects.create' denied on resource (or it may not exist).

英文:

I have created a service account for a coworker to upload files into my GCP bucket. I shared the service account credentials and the coworker activated them with the gcloud auth command.

$ gcloud auth activate-service-account --key-file bucket-creds.json
Activated service account credentials for: [upload@my-bucket.iam.gserviceaccount.com]

The account was validated with gcloud auth list:

$ gcloud auth list

ACTIVE ACCOUNT Credentialed Accounts
useraccount@company.com
* upload@my-bucket.iam.gserviceaccount.com

Now, when my coworker goes to upload something into my bucket with gsutil cp, they receive an error about having multiple credential types.

$ gsutil cp example.file gs://my-bucket/
Copying file://example.file [Content-Type=application/x-tar]...

CommandException: You have multiple types of configured credentials (['Oauth 2.0 User Account', 'OAuth 2.0 Service Account']), which is not supported. One common way this happens is if you run gsutil config to create credentials and later run gcloud auth, and create a second set of credentials. Your boto config path is: ['/data/home/user/.boto', '/data/home/user/.config/gcloud/legacy_credentials/upload@my-bucket.iam.gserviceaccount.com/.boto']. For more help, see "gsutil help creds".

I'm very confused at why gsutil is unable to handle multiple types of credentials. If the service account has been activated with gcloud auth, why is the gsutil cp command unable to use the credentials just because there are also other credentials available? Is it expected that we should delete the original user credentials and just use the service account credentials?

I have read the other questions on this topic and found them unhelpful. I understand there may be a need to change some environment variables, but I'm unsure how we should do this and if we will be able to retain the functionality of the original user account after the upload is completed. Is anyone able to explain why this does not work? I have had no issues in the past using user accounts AND service accounts during the same session, so long as the gcloud auth command was executed before other commands. .

My coworker tried logging back into their user account and initiating the upload, unsurprisingly this didn't work as their user account does not have the required permissions while the service account does.
$ gcloud config set account useraccount@company.com
Updated property [core/account].

$ gsutil cp example.file gs://my-bucket/

Copying file://example.file [Content-Type=application/x-tar]...

ResumableUploadAbortException: 403 useraccount@company.com does not have storage.objects.create access to the Google Cloud Storage object. Permission 'storage.objects.create' denied on resource (or it may not exist).

答案1

得分: 1

系统配置错误。建议运行 gcloud auth revoke 直到没有更多的凭据被授权。运行 gsutil ls 并验证 gsutil 未被授权。运行 gcloud init。然后运行 gcloud auth activate-service-account

如果要配置 gsutil 以使用服务账号而不是由 gcloud 配置的凭据,请运行以下两个命令:

gcloud config set pass_credentials_to_gsutil false
gsutil config -e

将要求输入服务账号 JSON 密钥文件的完整路径。

英文:

Something is misconfigured on your system. I recommend running gcloud auth revoke until no more credentials are authorized. Run gsutil ls and verify that gsutil is not authorized. Run gcloud init. Then run gcloud auth activate-service-account.

If you want to configure gsutil to use a service account instead of the credentials configured by gcloud run the following two commands:

gcloud config set pass_credentials_to_gsutil false
gsutil config -e

You will be prompted for the full path to the service account JSON key file.

答案2

得分: 1

gsutil 不定义任何凭证优先级,因此如果发现多种类型的凭证存在,它不知道应该使用哪一个。

错误是准确的 - 它显示您的主目录中有一个为独立 (非 gcloud) gsutil 安装创建的 boto 文件,以及由 gcloud 创建的一个用于服务帐户的 boto 文件。您应该选择一种 gsutil 安装方法并坚持使用 - 要么使用独立 gsutil,要么安装 gcloud 并使用其中包含的 gsutil 安装程序。混用这两者通常会导致配置错误,就像这样。

如果使用 gcloud 预装的 gsutil 安装程序,您应该删除为独立 gsutil 使用创建的配置文件 (即主目录中的一个),只使用 gcloud 来配置您的活动帐户和相关凭证 (实际上,这只是让 gcloud 告诉 gsutil 应加载哪个 boto 配置)。

英文:

gsutil does not define any credential precedence, so if it finds multiple types of credentials present, it doesn't know which should be used.

The error is accurate -- it shows that you have a boto file in your home directory that was created for use with a standalone (non-gcloud) gsutil installation, as well as a boto file that was created by gcloud (the one for the service account). You should choose one gsutil installation method and stick with it -- either use standalone gsutil, or install gcloud and use the gsutil installation included with that. Mixing the two often results in configuration errors like this.

If using a gcloud-bundled gsutil installation, you should delete the config file(s) that were created for use with standalone gsutil (i.e. the one in your home directory), and just use gcloud to configure your active account and associated credentials (which, under the hood, actually just makes gcloud tell gsutil which boto config it should load).

huangapple
  • 本文由 发表于 2023年5月15日 08:11:45
  • 转载请务必保留本文链接:https://go.coder-hub.com/76250178.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定