授权 Cloud SQL Admin API 从 Cloud Function 调用
Authorize Cloud SQL Admin API call from Cloud Function
我正在尝试构建小函数(后来部署到云函数)以将 BAK 文件恢复到云 sql。此功能将由 cron 触发。
在阅读有关授权此 API 的文档时,我有点迷路:https://cloud.google.com/sql/docs/sqlserver/import-export/importing#importing_data_from_a_bak_file_in
已创建包含此角色的服务帐户:Cloud SQL Admin、Storage Admin、Storage Object Admin、Storage Object Viewer,并在创建 Cloud Function 时从下拉列表中选择该服务帐户,但不起作用。
阅读此文后还尝试生成 API 密钥:https://cloud.google.com/sql/docs/sqlserver/admin-api/how-tos/authorizing
所以我的POSTurl变成了这个:
https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/import?key=generatedAPIKey
但仍然出现错误:
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"errors": [
{
"message": "Login Required.",
"domain": "global",
"reason": "required",
"location": "Authorization",
"locationType": "header"
}
],
"status": "UNAUTHENTICATED"
}
}
我需要为此使用 Oauth 2 吗?这是我在 Cloud Function 中的代码:
import http.client
import mimetypes
def restore_bak(request):
conn = http.client.HTTPSConnection("www.googleapis.com")
payload = "{\r\n \"importContext\":\r\n {\r\n \"fileType\": \"BAK\",\r\n \"uri\": \"gs://{bucket_name}/{backup_name}.bak\",\r\n \"database\": \"{database_name}\"\r\n }\r\n}\r\n"
headers = {
'Content-Type': 'application/json'
}
conn.request("POST", "/sql/v1beta4/projects/{project_id}/instances/{instance_name}/import", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
return(data.decode("utf-8"))
这看起来像 python,所以我建议使用 Discovery Client Library for Python。这个库围绕 SQL Admin API:
提供了一个方便的包装器
# Construct the service object for the interacting with the Cloud SQL Admin API.
service = discovery.build('sqladmin', 'v1beta4', http=http)
req = service.instances().list(project="PROJECT_ID")
resp = req.execute()
print json.dumps(resp, indent=2)
默认情况下,此库使用“Application Default Credentials (ADC)”策略从环境中获取您的凭据。
您还可以通过创建 oauth2 令牌并将其设置为请求中的 header 来手动验证您的请求(例如,如果您想使用 asyncio)。最简单的方法是使用 google-auth 包获取 ADC 并将其设置为 header:
import google.auth
import google.auth.transport.requests
credentials, project_id = google.auth.default()
credentials.refresh(google.auth.transport.requests.Request())
headers = {
"Authorization": "Bearer {}".format(credentials.token),
"Content-Type": "application/json"
}
我正在尝试构建小函数(后来部署到云函数)以将 BAK 文件恢复到云 sql。此功能将由 cron 触发。 在阅读有关授权此 API 的文档时,我有点迷路:https://cloud.google.com/sql/docs/sqlserver/import-export/importing#importing_data_from_a_bak_file_in
已创建包含此角色的服务帐户:Cloud SQL Admin、Storage Admin、Storage Object Admin、Storage Object Viewer,并在创建 Cloud Function 时从下拉列表中选择该服务帐户,但不起作用。
阅读此文后还尝试生成 API 密钥:https://cloud.google.com/sql/docs/sqlserver/admin-api/how-tos/authorizing
所以我的POSTurl变成了这个:
https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/import?key=generatedAPIKey
但仍然出现错误:
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"errors": [
{
"message": "Login Required.",
"domain": "global",
"reason": "required",
"location": "Authorization",
"locationType": "header"
}
],
"status": "UNAUTHENTICATED"
}
}
我需要为此使用 Oauth 2 吗?这是我在 Cloud Function 中的代码:
import http.client
import mimetypes
def restore_bak(request):
conn = http.client.HTTPSConnection("www.googleapis.com")
payload = "{\r\n \"importContext\":\r\n {\r\n \"fileType\": \"BAK\",\r\n \"uri\": \"gs://{bucket_name}/{backup_name}.bak\",\r\n \"database\": \"{database_name}\"\r\n }\r\n}\r\n"
headers = {
'Content-Type': 'application/json'
}
conn.request("POST", "/sql/v1beta4/projects/{project_id}/instances/{instance_name}/import", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
return(data.decode("utf-8"))
这看起来像 python,所以我建议使用 Discovery Client Library for Python。这个库围绕 SQL Admin API:
提供了一个方便的包装器# Construct the service object for the interacting with the Cloud SQL Admin API.
service = discovery.build('sqladmin', 'v1beta4', http=http)
req = service.instances().list(project="PROJECT_ID")
resp = req.execute()
print json.dumps(resp, indent=2)
默认情况下,此库使用“Application Default Credentials (ADC)”策略从环境中获取您的凭据。
您还可以通过创建 oauth2 令牌并将其设置为请求中的 header 来手动验证您的请求(例如,如果您想使用 asyncio)。最简单的方法是使用 google-auth 包获取 ADC 并将其设置为 header:
import google.auth
import google.auth.transport.requests
credentials, project_id = google.auth.default()
credentials.refresh(google.auth.transport.requests.Request())
headers = {
"Authorization": "Bearer {}".format(credentials.token),
"Content-Type": "application/json"
}