AttributeError: 'tuple' object has no attribute 'authorize' - GCP Create Service Account with Workload Identity Federation
AttributeError: 'tuple' object has no attribute 'authorize' - GCP Create Service Account with Workload Identity Federation
我正在尝试在 GCP 中使用 Python 创建服务帐户。当我将 env var GOOGLE_APPLICATION_CREDENTIALS 设置为 JSON 凭据文件并使用以下代码时,这工作正常:
GoogleCredentials.get_application_default()
但是以下代码在 CI - Github 使用工作负载身份联合的操作中失败:
import google
import googleapiclient.discovery
import os
from util import get_service_name
environment = os.getenv('ENVIRONMENT')
def create_service_account(requested_project_id):
project_id = requested_project_id
credentials = google.auth.default()
service = googleapiclient.discovery.build(
'iam', 'v1', credentials=credentials)
service_account_name = f'svc-{get_service_name()}'
service_accounts = service.projects().serviceAccounts().list(
name='projects/' + project_id).execute()
service_account_exists = False
for account in service_accounts['accounts']:
if (service_account_name in account['name']):
service_account_exists = True
service_account = account
break
if (service_account_exists == False):
service_account = service.projects().serviceAccounts().create(
name='projects/' + project_id,
body={
'accountId': service_account_name,
'serviceAccount': {
'displayName': service_account_name
}
}).execute()
print(f'{"Already Exists" if service_account_exists else "Created"} service account: ' + service_account['email'])
return service_account
失败并出现错误:
File "/opt/hostedtoolcache/Python/3.9.0/x64/lib/python3.9/site-packages/googleapiclient/_helpers.py", line 131, in positional_wrapper
return wrapped(*args, **kwargs) File "/opt/hostedtoolcache/Python/3.9.0/x64/lib/python3.9/site-packages/googleapiclient/discovery.py", line 298, in build
service = build_from_document( File "/opt/hostedtoolcache/Python/3.9.0/x64/lib/python3.9/site-packages/googleapiclient/_helpers.py", line 131, in positional_wrapper
return wrapped(*args, **kwargs) File "/opt/hostedtoolcache/Python/3.9.0/x64/lib/python3.9/site-packages/googleapiclient/discovery.py", line 600, in build_from_document
http = _auth.authorized_http(credentials) File "/opt/hostedtoolcache/Python/3.9.0/x64/lib/python3.9/site-packages/googleapiclient/_auth.py", line 119, in authorized_http
return credentials.authorize(build_http()) AttributeError: 'tuple' object has no attribute 'authorize'
我正在使用以下 Github 操作通过 Google
进行身份验证
- name: Authenticate to Google Cloud To Create Service Account
uses: google-github-actions/auth@v0.4.3
with:
workload_identity_provider: 'projects/xxx/locations/global/workloadIdentityPools/github-actions-identity-pool/providers/github-provider'
service_account: 'svc-iam-creator-dev@acme-dev-tooling.iam.gserviceaccount.com'
有人能帮忙吗?
你有两个问题。这行代码失败了:
credentials = google.auth.default()
问题 1 - 生成 Google OAuth 访问令牌
将 GitHub 操作步骤更改为:
- name: Authenticate to Google Cloud To Create Service Account
uses: google-github-actions/auth@v0.4.3
with:
token_format: 'access_token' # Your python code needs an access token
access_token_lifetime: '300s' # make this value small but long enough to complete the job
workload_identity_provider: 'projects/xxx/locations/global/workloadIdentityPools/github-actions-identity-pool/providers/github-provider'
service_account: 'svc-iam-creator-dev@acme-dev-tooling.iam.gserviceaccount.com'
问题 2 - 创建凭据
此行将不起作用,因为无法从 ADC(应用程序默认凭据)获得凭据。
credentials = google.auth.default()
将 Workload Identity Federation 生成的访问令牌从 GitHub 操作输出传递到您的程序:
${{ steps.auth.outputs.access_token }}
从访问令牌创建凭据:
credentials = google.oauth2.credentials.Credentials(access_token)
service = googleapiclient.discovery.build('iam', 'v1', credentials=credentials)
我正在尝试在 GCP 中使用 Python 创建服务帐户。当我将 env var GOOGLE_APPLICATION_CREDENTIALS 设置为 JSON 凭据文件并使用以下代码时,这工作正常:
GoogleCredentials.get_application_default()
但是以下代码在 CI - Github 使用工作负载身份联合的操作中失败:
import google
import googleapiclient.discovery
import os
from util import get_service_name
environment = os.getenv('ENVIRONMENT')
def create_service_account(requested_project_id):
project_id = requested_project_id
credentials = google.auth.default()
service = googleapiclient.discovery.build(
'iam', 'v1', credentials=credentials)
service_account_name = f'svc-{get_service_name()}'
service_accounts = service.projects().serviceAccounts().list(
name='projects/' + project_id).execute()
service_account_exists = False
for account in service_accounts['accounts']:
if (service_account_name in account['name']):
service_account_exists = True
service_account = account
break
if (service_account_exists == False):
service_account = service.projects().serviceAccounts().create(
name='projects/' + project_id,
body={
'accountId': service_account_name,
'serviceAccount': {
'displayName': service_account_name
}
}).execute()
print(f'{"Already Exists" if service_account_exists else "Created"} service account: ' + service_account['email'])
return service_account
失败并出现错误:
File "/opt/hostedtoolcache/Python/3.9.0/x64/lib/python3.9/site-packages/googleapiclient/_helpers.py", line 131, in positional_wrapper
return wrapped(*args, **kwargs) File "/opt/hostedtoolcache/Python/3.9.0/x64/lib/python3.9/site-packages/googleapiclient/discovery.py", line 298, in build
service = build_from_document( File "/opt/hostedtoolcache/Python/3.9.0/x64/lib/python3.9/site-packages/googleapiclient/_helpers.py", line 131, in positional_wrapper
return wrapped(*args, **kwargs) File "/opt/hostedtoolcache/Python/3.9.0/x64/lib/python3.9/site-packages/googleapiclient/discovery.py", line 600, in build_from_document
http = _auth.authorized_http(credentials) File "/opt/hostedtoolcache/Python/3.9.0/x64/lib/python3.9/site-packages/googleapiclient/_auth.py", line 119, in authorized_http
return credentials.authorize(build_http()) AttributeError: 'tuple' object has no attribute 'authorize'
我正在使用以下 Github 操作通过 Google
进行身份验证- name: Authenticate to Google Cloud To Create Service Account
uses: google-github-actions/auth@v0.4.3
with:
workload_identity_provider: 'projects/xxx/locations/global/workloadIdentityPools/github-actions-identity-pool/providers/github-provider'
service_account: 'svc-iam-creator-dev@acme-dev-tooling.iam.gserviceaccount.com'
有人能帮忙吗?
你有两个问题。这行代码失败了:
credentials = google.auth.default()
问题 1 - 生成 Google OAuth 访问令牌
将 GitHub 操作步骤更改为:
- name: Authenticate to Google Cloud To Create Service Account
uses: google-github-actions/auth@v0.4.3
with:
token_format: 'access_token' # Your python code needs an access token
access_token_lifetime: '300s' # make this value small but long enough to complete the job
workload_identity_provider: 'projects/xxx/locations/global/workloadIdentityPools/github-actions-identity-pool/providers/github-provider'
service_account: 'svc-iam-creator-dev@acme-dev-tooling.iam.gserviceaccount.com'
问题 2 - 创建凭据
此行将不起作用,因为无法从 ADC(应用程序默认凭据)获得凭据。
credentials = google.auth.default()
将 Workload Identity Federation 生成的访问令牌从 GitHub 操作输出传递到您的程序:
${{ steps.auth.outputs.access_token }}
从访问令牌创建凭据:
credentials = google.oauth2.credentials.Credentials(access_token)
service = googleapiclient.discovery.build('iam', 'v1', credentials=credentials)