我正在将Google AppEngine(GAE)灵活环境与自定义运行时(python2.7)结合使用。我正在使用自定义,因此我可以管理Dockerfile,并在我的笔记本电脑和在GAE中部署时轻松实现奇偶校验。
我有一个python 2.7 Flask应用程序,正在对DataStore进行查询。我得到以下信息(在本地docker中启动python main.py时):
root@24dcf9b8712d:/home/vmagent/app# curl localhost:5000/things
'/home/vmagent/app/clientid-searchapp.json'
[2018-09-04 14:54:19,969] ERROR in app: Exception on /things [GET]
Traceback (most recent call last):
File "/env/local/lib/python2.7/site-packages/flask/app.py", line 2292, in wsgi_app
response = self.full_dispatch_request()
File "/env/local/lib/python2.7/site-packages/flask/app.py", line 1815, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/env/local/lib/python2.7/site-packages/flask/app.py", line 1718, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/env/local/lib/python2.7/site-packages/flask/app.py", line 1813, in full_dispatch_request
rv = self.dispatch_request()
File "/env/local/lib/python2.7/site-packages/flask/app.py", line 1799, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "main.py", line 55, in products
for rec in query.fetch(limit=100):
File "/env/lib/python2.7/site-packages/google/api_core/page_iterator.py", line 199, in _items_iter
for page in self._page_iter(increment=False):
File "/env/lib/python2.7/site-packages/google/api_core/page_iterator.py", line 230, in _page_iter
page = self._next_page()
File "/env/local/lib/python2.7/site-packages/google/cloud/datastore/query.py", line 517, in _next_page
query=query_pb,
File "/env/local/lib/python2.7/site-packages/google/cloud/datastore_v1/gapic/datastore_client.py", line 294, in run_query
request, retry=retry, timeout=timeout, metadata=metadata)
File "/env/lib/python2.7/site-packages/google/api_core/gapic_v1/method.py", line 139, in __call__
return wrapped_func(*args, **kwargs)
File "/env/lib/python2.7/site-packages/google/api_core/retry.py", line 260, in retry_wrapped_func
on_error=on_error,
File "/env/lib/python2.7/site-packages/google/api_core/retry.py", line 177, in retry_target
return target()
File "/env/lib/python2.7/site-packages/google/api_core/timeout.py", line 206, in func_with_timeout
return func(*args, **kwargs)
File "/env/lib/python2.7/site-packages/google/api_core/grpc_helpers.py", line 56, in error_remapped_callable
six.raise_from(exceptions.from_grpc_error(exc), exc)
File "/env/local/lib/python2.7/site-packages/six.py", line 737, in raise_from
raise value
PermissionDenied: 403 Missing or insufficient permissions.
127.0.0.1 - - [04/Sep/2018 14:54:19] "GET /things HTTP/1.1" 500 -
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>500 Internal Server Error</title>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.</p>
main.py的片段
app = Flask(__name__)
ds = datastore.Client()
<snip>
@app.route("/things")
def things():
global ds
pprint(os.environ['GOOGLE_APPLICATION_CREDENTIALS'])
query = ds.query(kind='Things', order=('thing_name',))
results = list()
for rec in query.fetch(limit=100):
results.append(rec)
return jsonify(results)
gcloud auth list的输出:
root@24dcf9b8712d:/home/vmagent/app# gcloud auth list
Credentialed Accounts
ACTIVE ACCOUNT
* <myapp>@<project-name>.iam.gserviceaccount.com
这是配置的服务帐户。我由于拥有过多的角色成员而获得了特权。我可以确定该服务帐户并不缺少权限。实际上,它具有“数据存储所有者”
在main.py中,我输出:
pprint(os.environ ['GOOGLE_APPLICATION_CREDENTIALS'])
这会将服务帐户的路径输出到我的client-<myapp>.json文件。该文件与Dockerfile中提供的文件相同:
RUN gcloud auth activate-service-account --key-file=clientid-<myapp>.json --project <project-name> --quiet
在本地Docker环境中运行Flask应用程序以及将其部署到GAE Flexible时,我得到相同的结果。 Flask应用程序具有其他端点,因为它们不会调用任何其他服务,因此可以正常工作。只有/things使用API来调用DataStore,并且会收到上述错误。
我浏览了所有文档。我敢肯定这是基本且显而易见的事情,但毫无疑问,一切看起来都正确。
更新: 我尝试使用显式传递的项目名称创建DataStore客户端,而结果没有任何变化。另外,我已经从Docker容器中运行了此命令,这对我来说似乎是异常的输出,但我不知道对于服务帐户这是不正确的。
root@e02b74cd269d:/home/vmagent/app# gcloud projects list
API [cloudresourcemanager.googleapis.com] not enabled on project
[<project id>]. Would you like to enable and retry (this will take a
few minutes)? (y/N)? y
当我回复Y时,:
ERROR: (gcloud.projects.list) PERMISSION_DENIED: Not allowed to get project settings for project <project id>
gcloud config list的输出:
root@d18c83cae166:/home/vmagent/app# gcloud config list
[core]
account = <myapp>@<myproject>.iam.gserviceaccount.com
disable_usage_reporting = False
project = <myproject>
Your active configuration is: [default]