我正在尝试使用python pubsub API使用ImpersontatedCredentials
(模拟服务帐户)创建SubscriberClient
,然后使用该客户端创建一些订阅。我正在尝试在本地运行此代码(尽管最终它将作为云函数部署)
在执行此操作时,我得到以下错误:
filter: "attributes.provider_id = "integration_test_create_delete_provider_id_123"" , metadata=[('x-goog-request-params', 'name=projects/my-project/subscriptions/integration_test_create_delete_provider_id_123'), ('x-goog-api-client', 'gl-python/3.8.6 grpc/1.39.0 gax/1.31.1 gccl/2.7.0')]), last exception: 503 Getting metadata from plugin failed with error: ('Unable to acquire impersonated credentials: No access token or invalid expiration in response.', '{\n "error": {\n "code": 400,\n "message": "Request contains an invalid argument.",\n "status": "INVALID_ARGUMENT"\n }\n}\n')
我创建模拟凭据的代码如下所示:
from google.auth import impersonated_credentials
from google.cloud import pubsub_v1
target_scopes = [
"https://www.googleapis.com/auth/cloud-platform",
"https://www.googleapis.com/auth/pubsub",
]
target_principal = ("target-svc-account@my-project.iam.gserviceaccount.com",)
def _get_impersonated_pubsub_client():
return pubsub_v1.SubscriberClient(credentials=_get_impersonated_creds())
def _get_impersonated_creds():
default_creds, _ = google.auth.default()
impersonated_creds = impersonated_credentials.Credentials(
source_credentials=default_creds,
target_principal=target_principal,
target_scopes=target_scopes,
)
return impersonated_creds
从那里,我在通过调用_get_impersonated_pubsub_client()
得到的客户机上调用create_subscription(request=my_request)
,大约一分钟后,我看到上面的错误
我的请求对象如下所示:
{
"name": "projects/my-project/subscriptions/integration_test_create_delete_provider_id_123",
"topic": "projects/my-project/topics/my-topic-dev-us-west1",
}
如果我在SubscriberClient
构造函数中进行相同的调用而不进行模拟或指定凭据,那么一切都很正常
我的第一个想法是这是一个权限错误,但我仔细检查了我的源帐户是否具有ServiceAccountTokenCreator
角色
此外,我尝试使用GCloud CLI运行一个等效命令(包括模拟),如下所示:
gcloud pubsub subscriptions create my_subscription_name --topic=projects/my-project/topics/my-topic-dev-us-west1 --impersonate-service-account target-svc-account@my-project.iam.gserviceaccount.com
这完全符合预期——这让我相信GCP中的权限设置是正确的
SubscriberClient
与ImpersonatedCredentials
不起作用,或者我可以做一些强制来让auth工作吗
我还确保运行gcloud config unset auth/impersonate_service_account
,然后运行gcloud auth application-default login
,以确保我的本地凭据处于良好状态
相关依赖项:
google-api-core[grpc]==1.31.1; platform_python_implementation != 'PyPy'
google-api-python-client==2.15.0; python_version >= '3.6'
google-auth-httplib2==0.1.0
google-auth==1.34.0
google-cloud-core==2.0.0b1; python_version >= '3.6'
google-cloud-firestore==2.2.0; platform_python_implementation != 'PyPy'
google-cloud-pubsub==2.7.0
google-cloud-storage==1.41.1; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'
google-crc32c==1.1.2; python_version >= '3.6'
google-resumable-media==2.0.0b1; python_version >= '3.6'
googleapis-common-protos[grpc]==1.53.0; python_version >= '3.6'
grpc-google-iam-v1==0.12.3
grpcio==1.39.0
httplib2==0.19.1
您的Python代码看起来是否正确
完成以下步骤:
gcloud服务列表已启用
gcloud服务启用iamcdentials.googleapis.com
gcloud服务支持cloudresourcemanager.googleapis.com
所需的许可是:
iam.serviceCounts.getAccessToken
iam.serviceAccounts.getOpenIdToken(获取身份令牌需要此权限)
gcloud项目添加iam策略绑定[PROECT\u ID]
成员“serviceAccount:[GCE\u DEFAULT\u SA\u FULL\u EMAIL]”
角色“角色/iam.serviceAccountTokenCreator”
验证计算引擎默认服务帐户是否具有角色角色/serviceusage.serviceUsageConsumer或更高版本
gcloud项目添加iam策略绑定[PROECT\u ID]
成员“serviceAccount:[GCE\u DEFAULT\u SA\u FULL\u EMAIL]”
角色“角色/serviceusage.serviceUsageConsumer”
如果之前的任何一项未启用/授予,令牌发行将失败。
注意:如果您只希望计算引擎服务帐户能够模拟一个服务帐户,请更改步骤4以在服务帐户而不是项目上授予角色:
相关问题 更多 >
编程相关推荐