让AppEngine AppAssertionCredentials正常工作(Python)?

时间:2015-07-03 09:23:53

标签: python google-app-engine google-admin-sdk

我正在将旧版Google Admin SDK API中的App Engine python项目更新为新版本,并且难以对built in services accountAppAssertionCredentials)进行身份验证。

我已经

  • 在开发人员控制台中启用了Admin SDK API
  • 在Google Apps信息中心中启用API访问

要解决此问题,我从开发者控制台创建了一个服务帐户,下载了credentials.json,并在Google Apps信息中心中设置了以下权限(不含引号)(安全>高级设置>管理API客户端访问)对于该帐户:

我目前的代码是(稍微编辑)

# ...

import json
from google.appengine.api import memcache
from googleapiclient.discovery import build
from httplib2 import Http
from oauth2client.client import SignedJwtAssertionCredentials

GAPPS_CREDENTIALS = 'credentials.json'
GAPPS_SCOPES = [
  'https://www.googleapis.com/auth/admin.directory.user.readonly',
  'https://www.googleapis.com/auth/admin.directory.group.readonly',
  'https://www.googleapis.com/auth/admin.directory.group.member.readonly'
]
GAPPS_ADMIN = 'admin'
GAPPS_DOMAIN = 'domain.com'
GAPPS_USER = 'user'

# ...

with open(GAPPS_CREDENTIALS) as jsonfile:
  jsondata = json.load(jsonfile)
  credentials = SignedJwtAssertionCredentials(
    jsondata['client_email'],
    jsondata['private_key'],
    scope=GAPPS_SCOPES,
    sub=GAPPS_ADMIN+'@'+GAPPS_DOMAIN
)

http = credentials.authorize(Http(memcache))
apps = build('admin', 'directory_v1', http=http)
user = apps.users().get(userKey=GAPPS_USER +'@'+GAPPS_DOMAIN ).execute()
console.log(user['email'])

# ...

这非常有效,但是如果可以的话,我想通过使用AppAssertionCredentials调用来验证凭证来消除credentials.json文件。

但是,只要我运行以下代码:

# ...

import json
from google.appengine.api import memcache
from googleapiclient.discovery import build
from httplib2 import Http
from oauth2client.appengine import AppAssertionCredentials

GAPPS_CREDENTIALS = 'credentials.json'
GAPPS_SCOPES = [
  'https://www.googleapis.com/auth/admin.directory.user.readonly',
  'https://www.googleapis.com/auth/admin.directory.group.readonly',
  'https://www.googleapis.com/auth/admin.directory.group.member.readonly'
]
GAPPS_ADMIN = 'admin'
GAPPS_DOMAIN = 'domain.com'
GAPPS_USER = 'user'

# ...

credentials = AppAssertionCredentials(scope=GAPPS_SCOPES,sub=GAPPS_ADMIN+'@'+GAPPS_DOMAIN)
http = credentials.authorize(Http(memcache))
apps = build('admin', 'directory_v1', http=http)
user = apps.users().get(userKey=GAPPS_USER +'@'+GAPPS_DOMAIN ).execute()
console.log(user['email'])

# ...

我收到403错误:

<HttpError 403 when requesting https://www.googleapis.com/admin/directory/v1/users/user%domain.com?alt=json returned "Not Authorized to access this resource/api">

我怀疑问题可能是内置服务帐户未在Google Apps信息中心中进行身份验证,但是我无法在开发人员控制台或App Engine控制台中找到帐户域以便能够添加这些权限。我试过了:

  • 添加在Developers Console&gt;下找到的所有服务帐户权限,将@ developer.gserviceaccount.com更改为.apps.googleusercontent.com(@ cloudservices.gserviceaccount.com帐户会导致错误:This client name has not been registered with Google yet.
  • 使用{project} .appspot.com域:This client name has not been registered with Google yet.
  • 的Google Apps错误

任何人都可以放弃任何光明吗?

由于

1 个答案:

答案 0 :(得分:3)

回答有关在何处查找App Engine默认服务帐户的电子邮件地址表单的问题:这位于权限下的新控制台中 - &gt;服务帐户(与API管理器相对 - >您自己创建的服务帐户的凭据)。

现在回答主要问题:AppAssertionCredentials不适用于具有委派访问权限的服务帐户,因为does not accept a 'sub' parameter用于构造函数和doesn't have a method for creating delegated credentials(它不像SignedJwtAssertionCredentials那样用作关键字参数,现在是ServiceAccountCredentials,被忽略了)。尽管如此,您仍然可以使用App Engine默认服务帐户,因为新控制台现在允许您create JSON keys for the default service accounts

可以通过AppAssertionCredentials支持委派访问,为此您可以在project issue tracker上发布功能请求。