在不将服务帐户JSON保存到磁盘的情况下对google.storage.Client进行身份验证

时间:2020-04-08 21:42:54

标签: python json google-cloud-platform google-cloud-storage

对于Google Cloud Platform存储客户端的身份验证,我不想将服务帐户JSON(您创建的凭证文件)写入磁盘。从所有云实例共享的Hashicorp Vault密钥库加载它们之后,我想将它们纯粹保留在内存中。有没有办法直接传递JSON凭证,而不是传递类似路径的文件对象?

我了解如何使用如下路径/文件对象来执行此操作,但这是我要避免的操作(由于安全问题,我宁愿永远不要将其写入磁盘):

from google.cloud import storage

# set an environment variable that relies on a JSON file
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service_account.json"

# create the client (assumes the environment variable is set)
client = storage.Client()

# alternately, one can create the client without the environment 
# variable, but this still relies on a JSON file.
client = storage.Client.from_service_account_json("/path/to/service_account.json")

我试图通过直接引用JSON DATA(json_data)来解决此问题,但这会引发错误:TypeError: expected str, bytes or os.PathLike object, not dict

json_data = {....[JSON]....}
client = storage.Client.from_service_account_json(json_data)

此外,转储为JSON,但出现错误:

with io.open(json_credentials_path, "r", encoding="utf-8") as json_fi: OSError: [Errno 63] File name too long: '{"type": "service_account", "project_id",......

json_data = {....[JSON]....}
client = storage.Client.from_service_account_json(json.dumps(json_data))

根据@johnhanley的建议,我也尝试过:

from google.cloud import storage
from google.oauth2 import service_account

json_data = {...data loaded from keystore...}
type(json_data)
   dict

credentials = service_account.Credentials.from_service_account_info(json_data)
type(credentials)
   google.oauth2.service_account.Credentials

client = storage.Client(credentials=credentials)

这导致DefaultCredentialsError:

raise exceptions.DefaultCredentialsError(_HELP_MESSAGE) google.auth.exceptions.DefaultCredentialsError: Could not automatically determine credentials. Please set GOOGLE_APPLICATION_CREDENTIALS or explicitly create credentials and re-run the application. For more information, please see https://developers.google.com/accounts/docs/application-default-credentials.

如果您有解决方法的想法,我很想听听!

1 个答案:

答案 0 :(得分:0)

当前,客户端库中没有用于Cloud Storage的内置方法来实现此目的。因此,这里有2种可能性:

  • 正如@JohnHanley所述,使用提供的内置方法[1] [2]为Cloud Storage客户端创建构造函数。

  • 您可能还考虑使用其他产品,例如Cloud FunctionsApp Engine,该产品将允许您在服务级别上配置身份验证,而不必提供服务帐户凭据。