Google 应用程序默认凭据 - "Insufficient Permission" 在开发中 & "Bad Request" 在生产中
Google Application Default Credentials - "Insufficient Permission" in development & "Bad Request" in production
我正在使用 Google Application Default Credentials 通过 Gmail API 获取标签列表。
当 运行 应用程序在本地使用 gcloud preview app run 命令时,我得到 HttpError: <HttpError 403 when requesting https://www.googleapis.com/gmail/v1/users/user%40domain.com/labels?alt=json returned "Insufficient Permission">
然后我部署了应用程序并尝试访问。但是我得到了 HttpError: <HttpError 400 when requesting https://www.googleapis.com/gmail/v1/users/user%40domain.com/labels?alt=json returned "Bad Request">
我在 gcloud config list 中有正确的配置:
account = my_email@domain.com (Appengine Application Owener & Domain Admin)
disable_usage_reporting = False
project = <appengine_project_id>
gcloud 版本详情:
Google Cloud SDK 0.9.76
app 2015.08.27
app-engine-python 1.9.25
bq 2.0.18
bq-nix 2.0.18
core 2015.08.27
core-nix 2015.06.02
gcloud 2015.08.27
gsutil 4.14
gsutil-nix 4.12
preview 2015.08.27
我还添加了服务帐户的客户端 ID 和 Gmail 范围:https://www.googleapis.com/auth/gmail.readonly Google Apps admin CPanel 和 Gmail API 在 Appengine 控制台中启用。
代码如下:
from googleapiclient.discovery import build
from oauth2client.client import GoogleCredentials
class Connection:
def __init__(cls):
cls.credentials = GoogleCredentials.get_application_default()
def fetch_labels(cls):
service = build('gmail', 'v1', credentials=cls.credentials)
logging.info(service)
results = service.users().labels().list(userId='user@domain.com').execute()
labels = results.get('labels', [])
if not labels:
logging.info('No labels found.')
else:
logging.info('Labels:')
for label in labels:
logging.info(label['name'])
pass
class Handler(webapp2.RequestHandler):
def get(self):
con = Connection()
con.fetch_labels()
我不是 100% 确定这一点,但我认为应用程序默认凭据不支持全域授权。您仍然需要将服务帐户凭据与 sub 参数一起使用:
credentials = SignedJwtAssertionCredentials(
service_account_email, service_account_key,
scope='...', sub=user_email)
我正在使用 Google Application Default Credentials 通过 Gmail API 获取标签列表。
当 运行 应用程序在本地使用 gcloud preview app run 命令时,我得到 HttpError: <HttpError 403 when requesting https://www.googleapis.com/gmail/v1/users/user%40domain.com/labels?alt=json returned "Insufficient Permission">
然后我部署了应用程序并尝试访问。但是我得到了 HttpError: <HttpError 400 when requesting https://www.googleapis.com/gmail/v1/users/user%40domain.com/labels?alt=json returned "Bad Request">
我在 gcloud config list 中有正确的配置:
account = my_email@domain.com (Appengine Application Owener & Domain Admin)
disable_usage_reporting = False
project = <appengine_project_id>
gcloud 版本详情:
Google Cloud SDK 0.9.76
app 2015.08.27
app-engine-python 1.9.25
bq 2.0.18
bq-nix 2.0.18
core 2015.08.27
core-nix 2015.06.02
gcloud 2015.08.27
gsutil 4.14
gsutil-nix 4.12
preview 2015.08.27
我还添加了服务帐户的客户端 ID 和 Gmail 范围:https://www.googleapis.com/auth/gmail.readonly Google Apps admin CPanel 和 Gmail API 在 Appengine 控制台中启用。
代码如下:
from googleapiclient.discovery import build
from oauth2client.client import GoogleCredentials
class Connection:
def __init__(cls):
cls.credentials = GoogleCredentials.get_application_default()
def fetch_labels(cls):
service = build('gmail', 'v1', credentials=cls.credentials)
logging.info(service)
results = service.users().labels().list(userId='user@domain.com').execute()
labels = results.get('labels', [])
if not labels:
logging.info('No labels found.')
else:
logging.info('Labels:')
for label in labels:
logging.info(label['name'])
pass
class Handler(webapp2.RequestHandler):
def get(self):
con = Connection()
con.fetch_labels()
我不是 100% 确定这一点,但我认为应用程序默认凭据不支持全域授权。您仍然需要将服务帐户凭据与 sub 参数一起使用:
credentials = SignedJwtAssertionCredentials(
service_account_email, service_account_key,
scope='...', sub=user_email)