使用 Go 的 Google 云客户端库时出错:未知的凭据类型:"impersonated_service_account"?
Getting error using Google cloud client libraries for Go: unknown credential type: "impersonated_service_account"?
我正在使用 Google Cloud in Go 并关注 John Hanley 的这篇文章:
https://www.jhanley.com/google-cloud-improving-security-with-impersonation/
并用这个 SO 答案将其捣碎:
凭据已成功保存到“application_default_credentials.json”:
注意:“类型”:“impersonated_service_account”
{
"delegates": [],
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[sa@example-2021.iam.gserviceaccount.com]:generateAccessToken",
"source_credentials": {
"client_id": "...apps.googleusercontent.com",
"client_secret": "...",
"refresh_token": "...",
"type": "authorized_user"
},
"type": "impersonated_service_account"
}
我的代码生成 未知的凭证类型:“impersonated_service_account” 错误:
package main
import (
...
"cloud.google.com/go/storage"
"golang.org/x/oauth2"
"google.golang.org/api/docs/v1"
"google.golang.org/api/drive/v3"
"google.golang.org/api/impersonate"
"google.golang.org/api/option"
...
)
var Config.GoogleServiceAccount string = "sa@example-2021.iam.gserviceaccount.com"
func main(){
_ = getTokenAsImpersonator()
}
// From: https://pkg.go.dev/google.golang.org/api/impersonate#example-CredentialsTokenSource-ServiceAccount
func getTokenAsImpersonator() oauth2.TokenSource {
ctx := context.Background()
// Base credentials sourced from ADC or provided client options.
ts, err := impersonate.CredentialsTokenSource(ctx, impersonate.CredentialsConfig{
TargetPrincipal: Config.GoogleServiceAccount,
Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"},
// Delegates: []string{"bar@project-id.iam.gserviceaccount.com"},
})
if err != nil {
log.Fatal(err)
}
return ts
}
'未知凭据类型:“impersonated_service_account”'错误:
google: error getting credentials using GOOGLE_APPLICATION_CREDENTIALS environment variable: unknown credential type: "impersonated_service_account"
我做错了什么还是这是一个错误?
更新
根据评论回答 John 的问题:
1.
a) 环境变量的值是多少GOOGLE_APPLICATION_CREDENTIALS?
GOOGLE_APPLICATION_CREDENTIALS=/Users/x/.config/gcloud/application_default_credentials.json
b) 你用什么命令生成了application_default_credentials.json?
gcloud auth application-default login --scopes=https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/accounts.reauth,openid --impersonate-service-account=[sa@example-2021.iam.gserviceaccount.com]
Response:
Credentials saved to file: [/Users/x/.config/gcloud/application_default_credentials.json]
c)哪个 OS 和版本?
MacOS 10.13.6
d)gcloud --version?
Google Cloud SDK 343.0.0
app-engine-go
app-engine-python 1.9.91
bq 2.0.69
cloud-datastore-emulator 2.1.0
core 2021.05.27
gsutil 4.62
- 如果你能创建一个最小的例子...
我已经更新了上面的示例代码。
有时我曾使用 CLI 模拟一个帐户:
gcloud config set auth/impersonate_service_account <service account>
稍后当尝试使用应用程序默认凭据命令时,它会将您的凭据与服务帐户凭据包装在一起。
gcloud auth application-default login
您最终得到的文件如下所示:
{
"delegates": [],
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/example@example-project.iam.gserviceaccount.com:generateAccessToken",
"source_credentials": {
"client_id": "123abc.apps.googleusercontent.com",
"client_secret": "XXXXXXXXX",
"refresh_token": "XXXXXXXXX",
"type": "authorized_user"
},
"type": "impersonated_service_account"
}
这似乎会导致第三方服务出现很多问题,例如 terraform。
What is strange is that Terraform is just making API calls to Google using Google SDKs, so really its something to do with Google.
您需要删除模拟:
gcloud config unset auth/impersonate_service_account
然后再次运行应用程序默认凭据命令:
gcloud auth application-default login
现在,如果您检查文件,它应该如下所示:
{
"client_id": "XXXXXXXXX",
"client_secret": "XXXXXXXXX",
"quota_project_id": "example-project",
"refresh_token": "XXXXXXXXXX",
"type": "authorized_user"
}
我在尝试模拟帐户时遇到了同样的问题,因此我可以 运行 Terraform 命令作为服务帐户而不是我的个人帐户,但它不喜欢那样。
编辑:重读你的问题听起来你和我在同一条船上。我们希望在不实际下载密钥的情况下使用服务帐户。 Google 甚至将此作为最佳实践提及。但是这样做会导致他们自己的 SDK 出现问题。
我遇到了同样的问题 运行 GCP Terraform 提供程序测试。您可以指定服务帐户 Terraform 必须模拟设置环境变量 GOOGLE_IMPERSONATE_SERVICE_ACCOUNT (documentation).
配置步骤:
export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.comgcloud auth application-default login
我正在使用 Google Cloud in Go 并关注 John Hanley 的这篇文章:
https://www.jhanley.com/google-cloud-improving-security-with-impersonation/
并用这个 SO 答案将其捣碎:
凭据已成功保存到“application_default_credentials.json”:
注意:“类型”:“impersonated_service_account”
{
"delegates": [],
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[sa@example-2021.iam.gserviceaccount.com]:generateAccessToken",
"source_credentials": {
"client_id": "...apps.googleusercontent.com",
"client_secret": "...",
"refresh_token": "...",
"type": "authorized_user"
},
"type": "impersonated_service_account"
}
我的代码生成 未知的凭证类型:“impersonated_service_account” 错误:
package main
import (
...
"cloud.google.com/go/storage"
"golang.org/x/oauth2"
"google.golang.org/api/docs/v1"
"google.golang.org/api/drive/v3"
"google.golang.org/api/impersonate"
"google.golang.org/api/option"
...
)
var Config.GoogleServiceAccount string = "sa@example-2021.iam.gserviceaccount.com"
func main(){
_ = getTokenAsImpersonator()
}
// From: https://pkg.go.dev/google.golang.org/api/impersonate#example-CredentialsTokenSource-ServiceAccount
func getTokenAsImpersonator() oauth2.TokenSource {
ctx := context.Background()
// Base credentials sourced from ADC or provided client options.
ts, err := impersonate.CredentialsTokenSource(ctx, impersonate.CredentialsConfig{
TargetPrincipal: Config.GoogleServiceAccount,
Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"},
// Delegates: []string{"bar@project-id.iam.gserviceaccount.com"},
})
if err != nil {
log.Fatal(err)
}
return ts
}
'未知凭据类型:“impersonated_service_account”'错误:
google: error getting credentials using GOOGLE_APPLICATION_CREDENTIALS environment variable: unknown credential type: "impersonated_service_account"
我做错了什么还是这是一个错误?
更新
根据评论回答 John 的问题:
1.
a) 环境变量的值是多少GOOGLE_APPLICATION_CREDENTIALS?
GOOGLE_APPLICATION_CREDENTIALS=/Users/x/.config/gcloud/application_default_credentials.json
b) 你用什么命令生成了application_default_credentials.json?
gcloud auth application-default login --scopes=https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/accounts.reauth,openid --impersonate-service-account=[sa@example-2021.iam.gserviceaccount.com]
Response:
Credentials saved to file: [/Users/x/.config/gcloud/application_default_credentials.json]
c)哪个 OS 和版本?
MacOS 10.13.6
d)gcloud --version?
Google Cloud SDK 343.0.0
app-engine-go
app-engine-python 1.9.91
bq 2.0.69
cloud-datastore-emulator 2.1.0
core 2021.05.27
gsutil 4.62
- 如果你能创建一个最小的例子...
我已经更新了上面的示例代码。
有时我曾使用 CLI 模拟一个帐户:
gcloud config set auth/impersonate_service_account <service account>
稍后当尝试使用应用程序默认凭据命令时,它会将您的凭据与服务帐户凭据包装在一起。
gcloud auth application-default login
您最终得到的文件如下所示:
{
"delegates": [],
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/example@example-project.iam.gserviceaccount.com:generateAccessToken",
"source_credentials": {
"client_id": "123abc.apps.googleusercontent.com",
"client_secret": "XXXXXXXXX",
"refresh_token": "XXXXXXXXX",
"type": "authorized_user"
},
"type": "impersonated_service_account"
}
这似乎会导致第三方服务出现很多问题,例如 terraform。
What is strange is that Terraform is just making API calls to Google using Google SDKs, so really its something to do with Google.
您需要删除模拟:
gcloud config unset auth/impersonate_service_account
然后再次运行应用程序默认凭据命令:
gcloud auth application-default login
现在,如果您检查文件,它应该如下所示:
{
"client_id": "XXXXXXXXX",
"client_secret": "XXXXXXXXX",
"quota_project_id": "example-project",
"refresh_token": "XXXXXXXXXX",
"type": "authorized_user"
}
我在尝试模拟帐户时遇到了同样的问题,因此我可以 运行 Terraform 命令作为服务帐户而不是我的个人帐户,但它不喜欢那样。
编辑:重读你的问题听起来你和我在同一条船上。我们希望在不实际下载密钥的情况下使用服务帐户。 Google 甚至将此作为最佳实践提及。但是这样做会导致他们自己的 SDK 出现问题。
我遇到了同样的问题 运行 GCP Terraform 提供程序测试。您可以指定服务帐户 Terraform 必须模拟设置环境变量 GOOGLE_IMPERSONATE_SERVICE_ACCOUNT (documentation).
配置步骤:
export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.comgcloud auth application-default login