如何鉴别不同的服务帐户凭据谷歌的API？ [英] How to authenticate google APIs with different service account credentials?

问题描述

由于人谁曾经不得不与谷歌CLI二进制编程方式将已经意识到了一整套互动，与 gcloud ，<$ C的喜欢认证的不幸$ C>的gsutil ， BQ 等，是远离直观的或微不足道的，的尤其的，当你需要跨工作不同的项目。

As anyone who has ever had the misfortune of having to interact with the panoply of Google CLI binaries programmatically will have realised, authenticating with the likes of gcloud, gsutil, bq, etc. is far from intuitive or trivial, especially when you need to work across different projects.

我正在运行与谷歌云存储和交互的BigQuery为不同的项目不同的cron作业。由于cron作业可能会重叠，重命名配置文件显然不是一个选项，也不会任何理智的人采取这种方法。

I am running various cron jobs that interact with Google Cloud Storage and BigQuery for different projects. Since the cron jobs may overlap, renaming config files is clearly not an option, and nor would any sane person take that approach.

有肯定是某种传递路径服务帐户的密钥对文件，这些CLI可执行文件的方法，但 BQ帮助得到什么。

There must surely be some sort of method of passing a path to a service account's key pair file to these CLI binaries, but bq help yields nothing.

在谷歌文档，而冗长，在很大程度上是没用的，以一台对的OAuth2是如何工作的一个旅游等，而不是解释什么肯定是一个非常常见的需求，面对面的人，如何实际验证服务帐户不运行修改中央配置文件中的命令。

The Google documentation, while verbose, is largely useless, taking one on a tour of how OAuth2 works, etc, instead of explaining what must surely be a very common requirement, vis-a-vis, how to actually authenticate a service account without running commands that modify central config files.

可以任意觉者告诉我在谷歌的工程师们是否决定一样简单增加一个功能，因为传递的路径，服务帐户的密钥对文件的gsutil 的喜欢和 BQ ？或许我可以简单地出口一些变量，让他们知道要用于身份验证该密钥对文件？

Can any enlightened being tell me whether the engineers at Google decided to add a feature as simple as passing the path to a service account's key pair file to the likes of gsutil and bq? Or perhaps I could simply export some variable so they know which key pair file to use for authentication?

我意识到这些简单的方法可能是一种侮辱智慧，但我们不利用核聚变关于自己，所以我们甚至不需要考虑什么了亚马逊与他们的做法相比，认证，这样吧...

I realise these simplistic approaches may be an insult to the intelligence, but we aren't concerning ourselves with harnessing nuclear fusion, so we needn't even consider what Amazon got so right with their approach to authentication in comparison...

推荐答案

在云SDK配置是全局性的用户，但您可以指定在每个命令的基础使用哪些方面的配置中。为了完成你正在尝试做的，您可以：

Configuration in the Cloud SDK is global for the user, but you can specify what aspects of that config to use on a per command basis. To accomplish what you are trying to do you can:

gcloud auth activate-service-account foo@developer.gserviceaccount.com --key-file ...
gcloud auth activate-service-account bar@developer.gserviceaccount.com --key-file ...

在这一点上，凭据都集在全局凭证存储。
现在你可以运行：

At this point, both sets of credentials are in your global credentials store. Now you can run:

gcloud --account foo@developer.gserviceaccount.com some-command
gcloud --account bar@developer.gserviceaccount.com some-command

在并行，而且每次都会使用给定的账户，不受外界干扰。

in parallel, and each will use the given account without interfering.

这方面的一个较大的扩展部分是'配置'，它做同样的事情，但对于您的整个配置（包括象帐户和项目设置）。

A larger extension of this is 'configurations' which do the same thing, but for your entire set of config (including settings like account and project).

# Create first configuration
gcloud config configurations create myconfig
gcloud config configurations activate myconfig
gcloud config set account foo@developer.gserviceaccount.com
gcloud config set project foo

# Create second configuration
gcloud config configurations create anotherconfig
gcloud config configurations activate anotherconfig
gcloud config set account bar@developer.gserviceaccount.com
gcloud config set project bar

你可以说每个命令基础上使用的配置。

And you can say which configuration to use on a per command basis.

gcloud --configuration myconfig some-command
gcloud --configuration anotherconfig some-command

您可以通过运行阅读更多关于配置： gcloud话题配置

You can read more about configurations by running: gcloud topic configurations

所有的属性都有相应的环境变量，允许您设置特定属性为单个命令调用或终端会话。他们采取的形式：

All properties have corresponding environment variables that allow you to set that particular property for a single command invocation or for a terminal session. They take the form:

CLOUDSDK_＆lt;节＆GT; _＆LT;性＆gt;

例如： CLOUDSDK_CORE_ACCOUNT

您可以通过运行看到所有可用的配置设置： gcloud帮助配置

You can see all the available config settings by running: gcloud help config

在--configuration标志相对应的是： CLOUDSDK_ACTIVE_CONFIG_NAME

The equivalent of the --configuration flag is: CLOUDSDK_ACTIVE_CONFIG_NAME

如果你真的想完全隔离，​​还可以更改 CLOUDSDK_CONFIG 设置为您选择的目录云SDK的config目录。请注意，如果你这样做，是配置完全独立的，包括凭证存储，所有的配置，日志等。

If you really want complete isolation, you can also change the Cloud SDK's config directory by setting CLOUDSDK_CONFIG to a directory of your choosing. Note that if you do this, the config is completely separate including the credential store, all configurations, logs, etc.

这篇关于如何鉴别不同的服务帐户凭据谷歌的API？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！