我正在将旧版Google Admin SDK API中的App Engine python项目更新为新版本,并且难以对built in services account(AppAssertionCredentials)进行身份验证。
我已经
了要解决此问题,我从开发者控制台创建了一个服务帐户,下载了credentials.json,并在Google Apps信息中心中设置了以下权限(不含引号)(安全>高级设置>管理API客户端访问)对于该帐户:
我目前的代码是(稍微编辑)
# ...
import json
from google.appengine.api import memcache
from googleapiclient.discovery import build
from httplib2 import Http
from oauth2client.client import SignedJwtAssertionCredentials
GAPPS_CREDENTIALS = 'credentials.json'
GAPPS_SCOPES = [
'https://www.googleapis.com/auth/admin.directory.user.readonly',
'https://www.googleapis.com/auth/admin.directory.group.readonly',
'https://www.googleapis.com/auth/admin.directory.group.member.readonly'
]
GAPPS_ADMIN = 'admin'
GAPPS_DOMAIN = 'domain.com'
GAPPS_USER = 'user'
# ...
with open(GAPPS_CREDENTIALS) as jsonfile:
jsondata = json.load(jsonfile)
credentials = SignedJwtAssertionCredentials(
jsondata['client_email'],
jsondata['private_key'],
scope=GAPPS_SCOPES,
sub=GAPPS_ADMIN+'@'+GAPPS_DOMAIN
)
http = credentials.authorize(Http(memcache))
apps = build('admin', 'directory_v1', http=http)
user = apps.users().get(userKey=GAPPS_USER +'@'+GAPPS_DOMAIN ).execute()
console.log(user['email'])
# ...
这非常有效,但是如果可以的话,我想通过使用AppAssertionCredentials调用来验证凭证来消除credentials.json文件。
但是,只要我运行以下代码:
# ...
import json
from google.appengine.api import memcache
from googleapiclient.discovery import build
from httplib2 import Http
from oauth2client.appengine import AppAssertionCredentials
GAPPS_CREDENTIALS = 'credentials.json'
GAPPS_SCOPES = [
'https://www.googleapis.com/auth/admin.directory.user.readonly',
'https://www.googleapis.com/auth/admin.directory.group.readonly',
'https://www.googleapis.com/auth/admin.directory.group.member.readonly'
]
GAPPS_ADMIN = 'admin'
GAPPS_DOMAIN = 'domain.com'
GAPPS_USER = 'user'
# ...
credentials = AppAssertionCredentials(scope=GAPPS_SCOPES,sub=GAPPS_ADMIN+'@'+GAPPS_DOMAIN)
http = credentials.authorize(Http(memcache))
apps = build('admin', 'directory_v1', http=http)
user = apps.users().get(userKey=GAPPS_USER +'@'+GAPPS_DOMAIN ).execute()
console.log(user['email'])
# ...
我收到403错误:
<HttpError 403 when requesting https://www.googleapis.com/admin/directory/v1/users/user%domain.com?alt=json returned "Not Authorized to access this resource/api">
我怀疑问题可能是内置服务帐户未在Google Apps信息中心中进行身份验证,但是我无法在开发人员控制台或App Engine控制台中找到帐户域以便能够添加这些权限。我试过了:
This client name has not been registered with Google yet.)This client name has not been registered with Google yet. 任何人都可以放弃任何光明吗?
由于
答案 0 :(得分:3)
回答有关在何处查找App Engine默认服务帐户的电子邮件地址表单的问题:这位于权限下的新控制台中 - &gt;服务帐户(与API管理器相对 - >您自己创建的服务帐户的凭据)。
现在回答主要问题:AppAssertionCredentials不适用于具有委派访问权限的服务帐户,因为does not accept a 'sub' parameter用于构造函数和doesn't have a method for creating delegated credentials(它不像SignedJwtAssertionCredentials那样用作关键字参数,现在是ServiceAccountCredentials,被忽略了)。尽管如此,您仍然可以使用App Engine默认服务帐户,因为新控制台现在允许您create JSON keys for the default service accounts。
可以通过AppAssertionCredentials支持委派访问,为此您可以在project issue tracker上发布功能请求。