在GCP PubSub SubscriberClient的python api中使用ImpersonatedCredentials

2024-04-23 07:51:45 发布

您现在位置:Python中文网/ 问答频道 /正文
5381 3

我正在尝试使用python pubsub API使用ImpersontatedCredentials(模拟服务帐户)创建SubscriberClient,然后使用该客户端创建一些订阅。我正在尝试在本地运行此代码(尽管最终它将作为云函数部署)

在执行此操作时,我得到以下错误:

filter: "attributes.provider_id = "integration_test_create_delete_provider_id_123"" , metadata=[('x-goog-request-params', 'name=projects/my-project/subscriptions/integration_test_create_delete_provider_id_123'), ('x-goog-api-client', 'gl-python/3.8.6 grpc/1.39.0 gax/1.31.1 gccl/2.7.0')]), last exception: 503 Getting metadata from plugin failed with error: ('Unable to acquire impersonated credentials: No access token or invalid expiration in response.', '{\n "error": {\n "code": 400,\n "message": "Request contains an invalid argument.",\n "status": "INVALID_ARGUMENT"\n }\n}\n')

我创建模拟凭据的代码如下所示:

from google.auth import impersonated_credentials
from google.cloud import pubsub_v1

target_scopes = [
"https://www.googleapis.com/auth/cloud-platform",
"https://www.googleapis.com/auth/pubsub",
]
target_principal = ("target-svc-account@my-project.iam.gserviceaccount.com",)

def _get_impersonated_pubsub_client():
    return pubsub_v1.SubscriberClient(credentials=_get_impersonated_creds())


def _get_impersonated_creds():
    default_creds, _ = google.auth.default()
    impersonated_creds = impersonated_credentials.Credentials(
        source_credentials=default_creds,
        target_principal=target_principal,
        target_scopes=target_scopes,
    )
    return impersonated_creds

从那里,我在通过调用_get_impersonated_pubsub_client()得到的客户机上调用create_subscription(request=my_request),大约一分钟后,我看到上面的错误

我的请求对象如下所示:

{
        "name": "projects/my-project/subscriptions/integration_test_create_delete_provider_id_123",
        "topic": "projects/my-project/topics/my-topic-dev-us-west1",
}

如果我在SubscriberClient构造函数中进行相同的调用而不进行模拟或指定凭据,那么一切都很正常

我的第一个想法是这是一个权限错误,但我仔细检查了我的源帐户是否具有ServiceAccountTokenCreator角色

此外,我尝试使用GCloud CLI运行一个等效命令(包括模拟),如下所示:

gcloud pubsub subscriptions create my_subscription_name --topic=projects/my-project/topics/my-topic-dev-us-west1 --impersonate-service-account target-svc-account@my-project.iam.gserviceaccount.com

这完全符合预期——这让我相信GCP中的权限设置是正确的

SubscriberClientImpersonatedCredentials不起作用,或者我可以做一些强制来让auth工作吗

我还确保运行gcloud config unset auth/impersonate_service_account,然后运行gcloud auth application-default login,以确保我的本地凭据处于良好状态

相关依赖项:

google-api-core[grpc]==1.31.1; platform_python_implementation != 'PyPy'
google-api-python-client==2.15.0; python_version >= '3.6'
google-auth-httplib2==0.1.0
google-auth==1.34.0
google-cloud-core==2.0.0b1; python_version >= '3.6'
google-cloud-firestore==2.2.0; platform_python_implementation != 'PyPy'
google-cloud-pubsub==2.7.0
google-cloud-storage==1.41.1; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'
google-crc32c==1.1.2; python_version >= '3.6'
google-resumable-media==2.0.0b1; python_version >= '3.6'
googleapis-common-protos[grpc]==1.53.0; python_version >= '3.6'
grpc-google-iam-v1==0.12.3
grpcio==1.39.0
httplib2==0.19.1

Tags: projectauthcloudtargetversionmycreategoogle
1条回答
网友
1楼 · 发布于 2024-04-23 07:51:45

您的Python代码看起来是否正确

完成以下步骤:

  1. 列出已启用的服务:

gcloud服务列表已启用

  1. 验证是否已启用iamcdentials.googleapis.com。要启用:

gcloud服务启用iamcdentials.googleapis.com

  1. 验证是否已启用cloudresourcemanager.googleapis.com。要启用:

gcloud服务支持cloudresourcemanager.googleapis.com

  1. 验证计算引擎默认服务帐户是否具有角色角色/iam.serviceAccountTokenCreator或更高版本

所需的许可是:

  • iam.serviceCounts.getAccessToken

  • iam.serviceAccounts.getOpenIdToken(获取身份令牌需要此权限)

    gcloud项目添加iam策略绑定[PROECT\u ID]
    成员“serviceAccount:[GCE\u DEFAULT\u SA\u FULL\u EMAIL]”
    角色“角色/iam.serviceAccountTokenCreator”

  1. 验证计算引擎默认服务帐户是否具有角色角色/serviceusage.serviceUsageConsumer或更高版本

    gcloud项目添加iam策略绑定[PROECT\u ID]
    成员“serviceAccount:[GCE\u DEFAULT\u SA\u FULL\u EMAIL]”
    角色“角色/serviceusage.serviceUsageConsumer”

如果之前的任何一项未启用/授予,令牌发行将失败。

注意:如果您只希望计算引擎服务帐户能够模拟一个服务帐户,请更改步骤4以在服务帐户而不是项目上授予角色:

gcloud iam service-accounts add-iam-policy-binding [SA_FULL_EMAIL] \
 member serviceAccount:[GCE_DEFAULT_SA_FULL_EMAIL] \
 role roles/iam.serviceAccountTokenCreator

相关问题 更多 >

    编程相关推荐