应用程序默认凭据不适用于Google容器引擎

时间:2016-09-26 05:57:48

标签: google-kubernetes-engine

我正在尝试在Container引擎上使用Application Default Credentials,用于python IAM API。但我收到以下错误指向认证范围不足。我的项目启用了IAM API,代码在本地运行。所以,我不确定我错过了什么。

我的错误讯息:

22:26:16.000
ERROR:root:<HttpError 403 when requesting https://iam.googleapis.com/v1/projects/henry-dev/serviceAccounts/test123@henry-dev.iam.gserviceaccount.com/keys?alt=json returned "Request had insufficient authentication scopes.">
{
 metadata: {…}   
 textPayload: "ERROR:root:<HttpError 403 when requesting https://iam.googleapis.com/v1/projects/henry-dev/serviceAccounts/test123@henry-dev.iam.gserviceaccount.com/keys?alt=json returned "Request had insufficient authentication scopes.">
"   
 insertId: "116wpgtg3n4zndx"   
 log: "simplekubeserver"   
}

22:26:16.000
HttpError: <HttpError 403 when requesting https://iam.googleapis.com/v1/projects/henry-dev/serviceAccounts/test123@henry-dev.iam.gserviceaccount.com/keys?alt=json returned "Request had insufficient authentication scopes.">
{
 metadata: {…}   
 textPayload: "HttpError: <HttpError 403 when requesting https://iam.googleapis.com/v1/projects/henry-dev/serviceAccounts/test123@henry-dev.iam.gserviceaccount.com/keys?alt=json returned "Request had insufficient authentication scopes.">
"   
 insertId: "116wpgtg3n4znej"   
 log: "simplekubeserver"   
}

我的代码,在本地但不在GKE上运行:

from oauth2client.client import GoogleCredentials

def _iam_service():
  credentials = GoogleCredentials.get_application_default()
  return discovery.build(serviceName='iam', 
                         version='v1',
                         credentials=credentials)

def list_keys(project_id, service_account_id):
  full_name = 'projects/{0}/serviceAccounts/{1}'.format(project_id, service_account_id)
  keys = _iam_service().projects().serviceAccounts().keys()
  request = keys.list(name=full_name)
  return request.execute()

我要解决的一件事是获取正在使用的服务帐户。

print credentials.service_account_email

在本地,这显示了我正在使用的正确服务帐户。而在GKE上,我得到了无,但是期望像123456789-compute@developer.gserviceaccount.com

source code中,我看到了:

_get_application_default_credential_GCE()          
_get_application_default_credential_GAE()

但GKE并没有明确的说法。所以,我假设使用了GCE。

This doc提到这应该适用于Container Engine。

Application Default Credentials are best suited for cases
when the call needs to have the same identity and authorization level
for the application independent of the user. This is the recommended
approach to authorize calls to Google Cloud Platform APIs, particularly
when you're building an application that is deployed to Google App
Engine, **Google Container Engine**, or Google Compute Engine virtual
machines.

1 个答案:

答案 0 :(得分:2)

IAM Service Accounts API需要https://www.googleapis.com/auth/iamhttps://www.googleapis.com/auth/cloud-platform范围。 GKE集群节点上的作用域是在集群创建(或节点池创建)时定义的。如果您是通过云控制台或gcloud创建群集,则默认范围不包括这些范围。

在云端控制台中,您可以点击“更多”链接并将“云平台”设置为“已启用”,将云平台范围添加到new cluster

如果您使用的是gcloud,则可以将--scopes标记传递给gcloud container clusters creategcloud container node-pools create

来指定范围
相关问题
最新问题