使用 Bitbucket Pipelines 验证 GCP 服务帐户
Authenticating GCP service account with Bitbucket Pipelines
目前正在尝试验证 bitbucket 管道中的 Linux 机器到 运行 允许它将文件从 GCS 存储桶移动到自身的测试中的此代码。
storage_client = storage.Client()
source_bucket = storage_client.bucket('gs://xxxx')
source_blob = source_bucket.blob(xxxx)
_ = source_bucket.copy_blob(source_blob, 'xxxx', destination_blob_name)
为了进行身份验证,我将其放在存储库根目录的 bitbucket-pipelines.yml 中:
image: python:3.8
options:
max-time: 20
pipelines:
default:
- step:
size: 2x
caches:
- pip
- pipenv
script:
- curl -O https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-365.0.0-linux-x86_64.tar.gz
- tar -xvf google-cloud-sdk-365.0.0-linux-x86_64.tar.gz
- ./google-cloud-sdk/install.sh
- export PATH=$PATH:$(pwd)/google-cloud-sdk/bin
- echo $GCLOUD_SERVICE_KEY | gcloud auth activate-service-account --key-file=-
- pip3 install -U pip pipenv
- pipenv install --deploy --dev
- gcloud auth list
- pipenv run pytest -v --junitxml=test-reports/report.xml
其中 GCLOUD_SERVICE_KEY 是 Bitbucket 上的存储库变量。但是,当行 pipenv run pytest -v --junitxml=test-reports/report.xml 为 运行 时,我收到错误消息:
> storage_client = storage.Client()
tests/gcs/test_gcs.py:58:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
/root/.local/share/virtualenvs/build-3vGKWv3F/lib/python3.8/site-packages/google/cloud/storage/client.py:124: in __init__
super(Client, self).__init__(
/root/.local/share/virtualenvs/build-3vGKWv3F/lib/python3.8/site-packages/google/cloud/client.py:318: in __init__
_ClientProjectMixin.__init__(self, project=project, credentials=credentials)
/root/.local/share/virtualenvs/build-3vGKWv3F/lib/python3.8/site-packages/google/cloud/client.py:266: in __init__
project = self._determine_default(project)
/root/.local/share/virtualenvs/build-3vGKWv3F/lib/python3.8/site-packages/google/cloud/client.py:285: in _determine_default
return _determine_default_project(project)
/root/.local/share/virtualenvs/build-3vGKWv3F/lib/python3.8/site-packages/google/cloud/_helpers.py:186: in _determine_default_project
_, project = google.auth.default()
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
scopes = None, request = None, quota_project_id = None, default_scopes = None
def default(scopes=None, request=None, quota_project_id=None, default_scopes=None):
"""Gets the default credentials for the current environment.
`Application Default Credentials`_ provides an easy way to obtain
credentials to call Google APIs for server-to-server or local applications.
现在有些人想将 GCLOUD_SERVICE_KEY 保存为存储库中的文件或以某种方式将其复制到 linux 机器 运行 管道本身,但我认为这是最好是我们使用行 echo $GCLOUD_SERVICE_KEY | gcloud auth activate-service-account --key-file=- 并且不提交任何私钥。
命令 gcloud auth activate-service-account 没有为 python 程序设置 ADC(应用程序默认凭据)。
将服务帐号的内容写入文件,并设置环境变量GOOGLE_APPLICATION_CREDENTIALS指向该文件
另一种选择是将内容写入已知位置,然后在创建客户端时指定该位置:
storage.Client.from_service_account_json('<PATH_TO_SERVICE_ACCOUNT_JSON>')
还有其他选项,例如从传递给 Python 程序的 JSON 字符串创建凭据。通常你会先使用 base64 encode/decode。
credentials = service_account.Credentials.from_service_account_info(str)
storage.Client(credentials=credentials)
目前正在尝试验证 bitbucket 管道中的 Linux 机器到 运行 允许它将文件从 GCS 存储桶移动到自身的测试中的此代码。
storage_client = storage.Client()
source_bucket = storage_client.bucket('gs://xxxx')
source_blob = source_bucket.blob(xxxx)
_ = source_bucket.copy_blob(source_blob, 'xxxx', destination_blob_name)
为了进行身份验证,我将其放在存储库根目录的 bitbucket-pipelines.yml 中:
image: python:3.8
options:
max-time: 20
pipelines:
default:
- step:
size: 2x
caches:
- pip
- pipenv
script:
- curl -O https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-365.0.0-linux-x86_64.tar.gz
- tar -xvf google-cloud-sdk-365.0.0-linux-x86_64.tar.gz
- ./google-cloud-sdk/install.sh
- export PATH=$PATH:$(pwd)/google-cloud-sdk/bin
- echo $GCLOUD_SERVICE_KEY | gcloud auth activate-service-account --key-file=-
- pip3 install -U pip pipenv
- pipenv install --deploy --dev
- gcloud auth list
- pipenv run pytest -v --junitxml=test-reports/report.xml
其中 GCLOUD_SERVICE_KEY 是 Bitbucket 上的存储库变量。但是,当行 pipenv run pytest -v --junitxml=test-reports/report.xml 为 运行 时,我收到错误消息:
> storage_client = storage.Client()
tests/gcs/test_gcs.py:58:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
/root/.local/share/virtualenvs/build-3vGKWv3F/lib/python3.8/site-packages/google/cloud/storage/client.py:124: in __init__
super(Client, self).__init__(
/root/.local/share/virtualenvs/build-3vGKWv3F/lib/python3.8/site-packages/google/cloud/client.py:318: in __init__
_ClientProjectMixin.__init__(self, project=project, credentials=credentials)
/root/.local/share/virtualenvs/build-3vGKWv3F/lib/python3.8/site-packages/google/cloud/client.py:266: in __init__
project = self._determine_default(project)
/root/.local/share/virtualenvs/build-3vGKWv3F/lib/python3.8/site-packages/google/cloud/client.py:285: in _determine_default
return _determine_default_project(project)
/root/.local/share/virtualenvs/build-3vGKWv3F/lib/python3.8/site-packages/google/cloud/_helpers.py:186: in _determine_default_project
_, project = google.auth.default()
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
scopes = None, request = None, quota_project_id = None, default_scopes = None
def default(scopes=None, request=None, quota_project_id=None, default_scopes=None):
"""Gets the default credentials for the current environment.
`Application Default Credentials`_ provides an easy way to obtain
credentials to call Google APIs for server-to-server or local applications.
现在有些人想将 GCLOUD_SERVICE_KEY 保存为存储库中的文件或以某种方式将其复制到 linux 机器 运行 管道本身,但我认为这是最好是我们使用行 echo $GCLOUD_SERVICE_KEY | gcloud auth activate-service-account --key-file=- 并且不提交任何私钥。
命令 gcloud auth activate-service-account 没有为 python 程序设置 ADC(应用程序默认凭据)。
将服务帐号的内容写入文件,并设置环境变量GOOGLE_APPLICATION_CREDENTIALS指向该文件
另一种选择是将内容写入已知位置,然后在创建客户端时指定该位置:
storage.Client.from_service_account_json('<PATH_TO_SERVICE_ACCOUNT_JSON>')
还有其他选项,例如从传递给 Python 程序的 JSON 字符串创建凭据。通常你会先使用 base64 encode/decode。
credentials = service_account.Credentials.from_service_account_info(str)
storage.Client(credentials=credentials)