使用IntelliJ IDEA进行调试时，如何将服务帐户凭据添加到Google App Engine? [英] How to add service account credentials to Google App Engine when debugging with IntelliJ IDEA?

问题描述

我正在开发使用Google Cloud Storage的Google App Engine(标准环境)应用程序.我已使用适用于云的App Engine API存储，直到现在为止，它使用数据存储为Cloud Storage提供了本地仿真.随着这些API的过时，我决定使用推荐的API ，但是在本地服务器上运行时，我一直在使用凭据(我已经在使用新的云代码插件，而不是旧的

I am developing a Google App Engine (Standard environment) application which uses Google Cloud Storage. I have used App Engine APIs for Cloud Storage until now, which provides a local emulation for the Cloud Storage using Datastore. As those APIs are getting obsolete now, I have decided to use the recommended APIs, however I am struggling with the credentials when running on the Local Server (I am already using the new Cloud Code plugin, not the old App Engine one).

我已经创建了一个服务帐户，并且已经为其创建并下载了密钥.如果我要运行普通的Java应用程序，则可以为VM指定​​环境变量，并且可以提供必要的 -DGOOGLE_APPLICATION_CREDENTIALS = xxxxx.json 参数.Cloud Code提供的服务器似乎没有办法提供环境变量，我只能提供VM选项，因此我不知道如何为它提供必要的环境或如何将凭据传递给它.以其他方式.我得到这种工作的唯一方法是使用

I have created a service account and I have created and downloaded the key for it. If I would be running a normal Java app, I would be able to specify enviroment variables for the VM and I could provide the necessary -DGOOGLE_APPLICATION_CREDENTIALS=xxxxx.json parameters. The server provided by the Cloud Code does not seem to have any way how to provide environment variables, I can only provide VM options, therefore I do not know how can I provide the necessary environment to it, or how to pass the credentials to it in some other way. The only way I got it kind of working was using

gcloud auth应用程序-默认登录名

已将凭据保存在 D:\ Users \ xxxx \ AppData \ Roaming \ gcloud \ application_default_credentials.json 中.这行得通，但是每当我调试应用程序时，都会收到以下警告:

which has saved credentials in D:\Users\xxxx\AppData\Roaming\gcloud\application_default_credentials.json. This works, but any time I am debugging my application, I get following warning:

com.google.auth.oauth2.DefaultCredentialsProvider warnAboutProblematicCredentials

com.google.auth.oauth2.DefaultCredentialsProvider warnAboutProblematicCredentials

警告:您的应用已使用Google Cloud SDK中的最终用户凭据进行了身份验证.我们建议大多数服务器应用程序改为使用服务帐户.如果您的应用程序继续使用Cloud SDK中的最终用户凭据，则可能会收到超出"的警告.或未启用API"；错误.

WARNING: Your application has authenticated using end user credentials from Google Cloud SDK. We recommend that most server applications use service accounts instead. If your application continues to use end user credentials from Cloud SDK, you might receive a "quota exceeded" or "API not enabled" error.

我不确定这个警告有多严重，但听起来确实让我感到恐惧.

I am not sure how serious this warning is, but it sure sounds scary to me.

在我的应用程序中，我使用以下代码(Scala，Java非常相似)来创建具有凭据的服务:

In my application I use this code (Scala, Java would be very similar) to create the service with the credentials:

  val credentials = GoogleCredentials.getApplicationDefault
  val storage = StorageOptions.newBuilder().setCredentials(credentials).build().getService

在本地Google App Engine服务器上运行时，传递服务帐户凭据的正确方法是什么?

What is the proper way to pass service account credentials when running on a local Google App Engine server?

推荐答案

大警告的问题是Google不想让您使用用户凭据代替服务帐户凭据.Google锁定(限制)(您)可以请求的范围/数据第三方服务.我的建议是不要再使用用户凭据，因为它们最终将不再起作用.

The issue with the big warning is that Google does not want you to use User Credentials in place of Service Account credentials. Google is locking down (restricting) what scopes/data third-party services (you) can request. My advice is to not use User Credentials anymore as they will eventually no longer work.

有几种解决方法.

方法1 :设置CLI以使用服务帐户:

Method 1: Setup the CLI to use a service account:

gcloud auth activate-service-account test@development.iam.gserviceaccount.com --key-file=test_google_account.json

为服务帐户使用正确的电子邮件地址.可以在Google Cloud控制台和JSON文件中找到.Google图书馆会找到这些凭据.在我的网站上，我写了几篇有关服务帐户，应用程序默认凭据(ADC)等详细信息的文章.

Use the correct email address for the service account. This can be found in the Google Cloud console and also in the JSON file. Google libraries will find these credentials. On my website, I have written several articles on the details of services accounts, Application Default Credentials (ADC), etc.

方法2:在代码中指定服务帐户

credentials = GoogleCredentials.fromStream(new FileInputStream(service_account_filename))

创建一个标志或环境变量，以便您的代码(如果可以)决定何时在桌面上运行以处理凭据.

Create a flag or environment variable so that your code can if-else decide when running on your desktop to process credentials.

方法3:

如果设置了系统(而非VM命令行)环境变量 GOOGLE_APPLICATION_CREDENTIALS ，则库将使用该变量指向的文件名来获得服务帐户凭据.该文件是JSON格式的Google Cloud Service帐户凭据文件.

If the system (not the VM command line) environment variable GOOGLE_APPLICATION_CREDENTIALS is set, the libraries will use the filename that the variable points to for service account credentials. This file is a Google Cloud Service Account credentials file in JSON format.

在启动IntelliJ之前设置此环境变量.

Set this environment variable before you launch your IntelliJ.

我的文档链接:

• https://www.jhanley.com/google-cloud-application-default-credentials/
• https://www.jhanley.com/google-cloud-setting-up-gcloud-with-service-account-credentials/
• https://www.jhanley.com/google-cloud-creating-and-authorizing-service-account-credentials-with-the-cli/

这篇关于使用IntelliJ IDEA进行调试时，如何将服务帐户凭据添加到Google App Engine?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！