对于Google Cloud Platform存储客户端的身份验证,我不想将服务帐户JSON(您创建的凭证文件)写入磁盘。从所有云实例共享的Hashicorp Vault密钥库加载它们之后,我想将它们纯粹保留在内存中。有没有办法直接传递JSON凭证,而不是传递类似路径的文件对象?
我了解如何使用如下路径/文件对象来执行此操作,但这是我要避免的操作(由于安全问题,我宁愿永远不要将其写入磁盘):
from google.cloud import storage
# set an environment variable that relies on a JSON file
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service_account.json"
# create the client (assumes the environment variable is set)
client = storage.Client()
# alternately, one can create the client without the environment
# variable, but this still relies on a JSON file.
client = storage.Client.from_service_account_json("/path/to/service_account.json")
我试图通过直接引用JSON DATA(json_data)来解决此问题,但这会引发错误:TypeError: expected str, bytes or os.PathLike object, not dict
json_data = {....[JSON]....}
client = storage.Client.from_service_account_json(json_data)
此外,转储为JSON,但出现错误:
with io.open(json_credentials_path, "r", encoding="utf-8") as json_fi:
OSError: [Errno 63] File name too long: '{"type": "service_account", "project_id",......
json_data = {....[JSON]....}
client = storage.Client.from_service_account_json(json.dumps(json_data))
根据@johnhanley的建议,我也尝试过:
from google.cloud import storage
from google.oauth2 import service_account
json_data = {...data loaded from keystore...}
type(json_data)
dict
credentials = service_account.Credentials.from_service_account_info(json_data)
type(credentials)
google.oauth2.service_account.Credentials
client = storage.Client(credentials=credentials)
这导致DefaultCredentialsError:
raise exceptions.DefaultCredentialsError(_HELP_MESSAGE)
google.auth.exceptions.DefaultCredentialsError: Could not automatically determine credentials. Please set GOOGLE_APPLICATION_CREDENTIALS or explicitly create credentials and re-run the application. For more information, please see https://developers.google.com/accounts/docs/application-default-credentials.
如果您有解决方法的想法,我很想听听!
答案 0 :(得分:0)
当前,客户端库中没有用于Cloud Storage的内置方法来实现此目的。因此,这里有2种可能性:
您可能还考虑使用其他产品,例如Cloud Functions或App Engine,该产品将允许您在服务级别上配置身份验证,而不必提供服务帐户凭据。