让 AppEngine AppAssertionCredentials 工作(Python)?
Getting AppEngine AppAssertionCredentials working (Python)?
我正在将一个 App Engine python 项目从旧的 Google Admin SDK API 更新到新的 built in services account (AppAssertionCredentials) 并且难以获得 built in services account (AppAssertionCredentials) 身份验证。
我已经
- 在开发者控制台中启用了 Admin SDK API
- 在 Google 应用仪表板中启用 API 访问权限
为了解决这个问题,我从开发者控制台创建了一个服务帐户,下载了 credentials.json,并在 Google 应用仪表板(安全 > 高级设置)中设置了以下权限(不带引号) > 为该帐户管理 API 客户端访问):
- 客户端:“{服务帐户 ID}。apps.googleusercontent.com”
- 权限:“https://www.googleapis.com/auth/admin.directory.user.readonly https://www.googleapis.com/auth/admin.directory.group.readonly https://www.googleapis.com/auth/admin.directory.group.member.readonly”
我当前的代码是(略有修改)
# ...
import json
from google.appengine.api import memcache
from googleapiclient.discovery import build
from httplib2 import Http
from oauth2client.client import SignedJwtAssertionCredentials
GAPPS_CREDENTIALS = 'credentials.json'
GAPPS_SCOPES = [
'https://www.googleapis.com/auth/admin.directory.user.readonly',
'https://www.googleapis.com/auth/admin.directory.group.readonly',
'https://www.googleapis.com/auth/admin.directory.group.member.readonly'
]
GAPPS_ADMIN = 'admin'
GAPPS_DOMAIN = 'domain.com'
GAPPS_USER = 'user'
# ...
with open(GAPPS_CREDENTIALS) as jsonfile:
jsondata = json.load(jsonfile)
credentials = SignedJwtAssertionCredentials(
jsondata['client_email'],
jsondata['private_key'],
scope=GAPPS_SCOPES,
sub=GAPPS_ADMIN+'@'+GAPPS_DOMAIN
)
http = credentials.authorize(Http(memcache))
apps = build('admin', 'directory_v1', http=http)
user = apps.users().get(userKey=GAPPS_USER +'@'+GAPPS_DOMAIN ).execute()
console.log(user['email'])
# ...
这非常有效,但是如果可以的话,我想通过使用 AppAssertionCredentials 调用来进行身份验证来消除 credentials.json 文件。
一旦我运行以下代码,但是:
# ...
import json
from google.appengine.api import memcache
from googleapiclient.discovery import build
from httplib2 import Http
from oauth2client.appengine import AppAssertionCredentials
GAPPS_CREDENTIALS = 'credentials.json'
GAPPS_SCOPES = [
'https://www.googleapis.com/auth/admin.directory.user.readonly',
'https://www.googleapis.com/auth/admin.directory.group.readonly',
'https://www.googleapis.com/auth/admin.directory.group.member.readonly'
]
GAPPS_ADMIN = 'admin'
GAPPS_DOMAIN = 'domain.com'
GAPPS_USER = 'user'
# ...
credentials = AppAssertionCredentials(scope=GAPPS_SCOPES,sub=GAPPS_ADMIN+'@'+GAPPS_DOMAIN)
http = credentials.authorize(Http(memcache))
apps = build('admin', 'directory_v1', http=http)
user = apps.users().get(userKey=GAPPS_USER +'@'+GAPPS_DOMAIN ).execute()
console.log(user['email'])
# ...
我收到 403 错误:
<HttpError 403 when requesting https://www.googleapis.com/admin/directory/v1/users/user%domain.com?alt=json returned "Not Authorized to access this resource/api">
我怀疑问题可能是内置服务帐户未在 Google Apps Dashboard 中进行身份验证,但是我无法在 Developers Console 或 App Engine 控制台中找到该帐户域能够添加这些权限。我试过:
- 添加在 Developers Console > Permissions 下找到的所有服务帐户,将 @developer.gserviceaccount.com 更改为 .apps.googleusercontent.com(@cloudservices.gserviceaccount.com 帐户导致错误:
This client name has not been registered with Google yet.)
- 使用 {project}.appspot.com 域:Google 应用程序错误
This client name has not been registered with Google yet.
任何人都可以解释一下吗?
谢谢
回答有关在哪里可以找到 App Engine 默认服务帐户的电子邮件地址表单的问题:它位于权限 -> 服务帐户下的新控制台中(相对于 API 管理器 ->您自己创建的服务帐户的凭据)。
现在回答主要问题:AppAssertionCredentials 不适用于具有委派访问权限的服务帐户,因为它 does not accept a 'sub' parameter for the constructor and doesn't have a method for creating delegated credentials (it's not used as a keyword argument as with SignedJwtAssertionCredentials, which is now ServiceAccountCredentials, and is ignored). You should still be able to use the App Engine default service account with delegation though, since the new console now allows you to create JSON keys for the default service accounts。
有可能通过 AppAssertionCredentials 支持委托访问,为此您可以 post 在 project issue tracker.
上提出功能请求
我正在将一个 App Engine python 项目从旧的 Google Admin SDK API 更新到新的 built in services account (AppAssertionCredentials) 并且难以获得 built in services account (AppAssertionCredentials) 身份验证。
我已经
- 在开发者控制台中启用了 Admin SDK API
- 在 Google 应用仪表板中启用 API 访问权限
为了解决这个问题,我从开发者控制台创建了一个服务帐户,下载了 credentials.json,并在 Google 应用仪表板(安全 > 高级设置)中设置了以下权限(不带引号) > 为该帐户管理 API 客户端访问):
- 客户端:“{服务帐户 ID}。apps.googleusercontent.com”
- 权限:“https://www.googleapis.com/auth/admin.directory.user.readonly https://www.googleapis.com/auth/admin.directory.group.readonly https://www.googleapis.com/auth/admin.directory.group.member.readonly”
我当前的代码是(略有修改)
# ...
import json
from google.appengine.api import memcache
from googleapiclient.discovery import build
from httplib2 import Http
from oauth2client.client import SignedJwtAssertionCredentials
GAPPS_CREDENTIALS = 'credentials.json'
GAPPS_SCOPES = [
'https://www.googleapis.com/auth/admin.directory.user.readonly',
'https://www.googleapis.com/auth/admin.directory.group.readonly',
'https://www.googleapis.com/auth/admin.directory.group.member.readonly'
]
GAPPS_ADMIN = 'admin'
GAPPS_DOMAIN = 'domain.com'
GAPPS_USER = 'user'
# ...
with open(GAPPS_CREDENTIALS) as jsonfile:
jsondata = json.load(jsonfile)
credentials = SignedJwtAssertionCredentials(
jsondata['client_email'],
jsondata['private_key'],
scope=GAPPS_SCOPES,
sub=GAPPS_ADMIN+'@'+GAPPS_DOMAIN
)
http = credentials.authorize(Http(memcache))
apps = build('admin', 'directory_v1', http=http)
user = apps.users().get(userKey=GAPPS_USER +'@'+GAPPS_DOMAIN ).execute()
console.log(user['email'])
# ...
这非常有效,但是如果可以的话,我想通过使用 AppAssertionCredentials 调用来进行身份验证来消除 credentials.json 文件。
一旦我运行以下代码,但是:
# ...
import json
from google.appengine.api import memcache
from googleapiclient.discovery import build
from httplib2 import Http
from oauth2client.appengine import AppAssertionCredentials
GAPPS_CREDENTIALS = 'credentials.json'
GAPPS_SCOPES = [
'https://www.googleapis.com/auth/admin.directory.user.readonly',
'https://www.googleapis.com/auth/admin.directory.group.readonly',
'https://www.googleapis.com/auth/admin.directory.group.member.readonly'
]
GAPPS_ADMIN = 'admin'
GAPPS_DOMAIN = 'domain.com'
GAPPS_USER = 'user'
# ...
credentials = AppAssertionCredentials(scope=GAPPS_SCOPES,sub=GAPPS_ADMIN+'@'+GAPPS_DOMAIN)
http = credentials.authorize(Http(memcache))
apps = build('admin', 'directory_v1', http=http)
user = apps.users().get(userKey=GAPPS_USER +'@'+GAPPS_DOMAIN ).execute()
console.log(user['email'])
# ...
我收到 403 错误:
<HttpError 403 when requesting https://www.googleapis.com/admin/directory/v1/users/user%domain.com?alt=json returned "Not Authorized to access this resource/api">
我怀疑问题可能是内置服务帐户未在 Google Apps Dashboard 中进行身份验证,但是我无法在 Developers Console 或 App Engine 控制台中找到该帐户域能够添加这些权限。我试过:
- 添加在 Developers Console > Permissions 下找到的所有服务帐户,将 @developer.gserviceaccount.com 更改为 .apps.googleusercontent.com(@cloudservices.gserviceaccount.com 帐户导致错误:
This client name has not been registered with Google yet.) - 使用 {project}.appspot.com 域:Google 应用程序错误
This client name has not been registered with Google yet.
任何人都可以解释一下吗?
谢谢
回答有关在哪里可以找到 App Engine 默认服务帐户的电子邮件地址表单的问题:它位于权限 -> 服务帐户下的新控制台中(相对于 API 管理器 ->您自己创建的服务帐户的凭据)。
现在回答主要问题:AppAssertionCredentials 不适用于具有委派访问权限的服务帐户,因为它 does not accept a 'sub' parameter for the constructor and doesn't have a method for creating delegated credentials (it's not used as a keyword argument as with SignedJwtAssertionCredentials, which is now ServiceAccountCredentials, and is ignored). You should still be able to use the App Engine default service account with delegation though, since the new console now allows you to create JSON keys for the default service accounts。
有可能通过 AppAssertionCredentials 支持委托访问,为此您可以 post 在 project issue tracker.
上提出功能请求