来自GAE的云存储API请求 - 403访问未配置 [英] Cloud Storage API requests from GAE - 403 Access not configured
问题描述
我的GAE应用试图操纵存储在Google云端存储上的文件。
这些文件存储在我的应用的默认存储桶中。我已经设法使用GCS Python客户端库( https: //developers.google.com/appengine/docs/python/googlecloudstorageclient/ )。
不幸的是,它不支持复制。相反,我使用API客户端库( https://google-api-client-libraries.appspot.com/documentation/storage/v1/python/latest/storage_v1.objects.html )和服务帐户( https://developers.google.com/api-client-library/python / b 到目前为止,我在申请云存储网址时遇到了错误403。 以下是代码: 以下是日志: 请求的网址: 尝试刷新以获取初始access_token 请求的网址: HttpError 4 03请求 以下是我的在开发控制台中完成: 如何使这项工作成功?
$ b
credentials = AppAssertionCredentials(scope ='https://www.googleapis。 com / auth / devstorage.read_write')
http = credentials.authorize(httplib2.Http(memcache))
service = discovery.build('storage','v1',http = http,developerKey = api_key_generated_from_the_dev_console )
bucket_name = app_identity.get_default_gcs_bucket_name()
#我打算批量处理多个请求,虽然在这个例子中只有一个请求
batch = BatchHttpRequest()
#process_list_response输出异常,如果有任何
batch.add(service.objects().list(bucket = bucket_name),callback = process_list_response)
batch.execute(http = http)
https ://www.googleapis.com/discovery/v1/apis/storage/v1/rest?userIp = xxxx
https://www.googleapis.com/storage/v1/b/xxx.appspot.com/o?alt=json
时 https: //www.googleapis.com/storage/v1/b/xxx-dev.appspot.com/o?alt=json 返回
访问未配置。请使用Google Developers Console
为您的项目激活API。
切换为开启。
<解决方案
发布这个答案似乎是我的编辑(我们一起工作)被默默拒绝了,评论太有限了,这不是答案,而是正在扩大这个问题。
一个简单的http请求示例看起来,JSON API根本无法在API Explorer之外工作,XML / REST API可以工作,返回存储桶中的文件列表。
credentials = AppAssertionCredentials(scope ='https://www.googleapis.com/auth/devstorage.read_write')
http =凭证。授权(httplib2.Http(memcache))
bucket_name = app_identity.get_default_gcs_bucket_name()
#这可以工作(200与内容中的文件列表)
request_url ='http://commondatastorage.googleapis.com/'+ bucket_name
response,content = http.request(request_url,method =GET)
#这不起作用403,访问未配置)
request_url ='https://www.googleapis.com/storage/v1/b/'+ bucket_name +'/ o?alt = json'
response,content = http .request(request_url,method =GET)
#这不起作用(403,访问未配置),密钥和项目ID头似乎没用。
request_url ='https://www.googleapis.com/storage/v1/b/'+ bucket_name +'/ o?alt = json& key ='+ API_KEY
response,content = http。 request(request_url,method =GET,headers = {'x-goog-project-id':PROJECT_ID})
另外,查看AppAssertionCredentials的代码,我们可以看到:
kwargs:可选关键字参数,包括:
service_account_id:应用程序的服务帐户ID。如果未指定None或
,则使用应用程序的默认服务帐户。
self.service_account_id = kwargs.get('service_account_id',None)
传递任何作为service_account_id参数的结果会导致一个异常:
pre $ code> Traceback(最近一次调用最后一次)
File/ base / data / home / apps /.../ 1.37 ... / backup.py,第61行,获取
响应,content = http.request(request_url,method =GET)
文件/base/data/home/apps/.../1.377.../oauth2client/util.py,第132行,位于locations_wrapper
返回包装(* args,** kwargs)
文件/base/data/home/apps/.../1.37.../oauth2client/client.py,第491行,在new_request
self._refresh(request_orig)
文件/ base / data / home / apps /.../ 1.37 ... / oauth2client / appengine.py,第197行,在_refresh
中增加AccessTokenRefreshError(str(e))
AccessTokenRefreshError
我已经测试过传递由 app_identity.get_service_account_name()
,那不起作用。 (即使文档说它将使用该应用程序的默认服务帐户,如果未设置)。
我测试过传递开发者控制台中的服务帐户电子邮件,其格式为: 3 ....- v0 .... @ developer.gserviceaccount.com
。
那么,为什么当我们的api / services明确启用Cloudstorage JSON API时,我们得到的403 Access没有配置?
为什么传递一个service_account_id到AppAssertionCredentials失败并带有AccessTokenRefreshError?
编辑:
解决方案很荒谬:关闭Google云端存储API,然后将其重新开启。 我假设应用是一个传统应用程序,并且这样做使最后一个要点12在这里工作: https://developers.google.com/appengine/docs/python/googlecloudstorageclient/activate
My GAE app is trying to manipulate files stored on Google Cloud Storage.
The files are stored in the default bucket for my app. I already managed to read/write files to that bucket using the GCS Python Client Library (https://developers.google.com/appengine/docs/python/googlecloudstorageclient/).
Unfortunately it does not support copy. Instead, I'm trying the JSON API with the API Client Library (https://google-api-client-libraries.appspot.com/documentation/storage/v1/python/latest/storage_v1.objects.html) and service account (https://developers.google.com/api-client-library/python/guide/google_app_engine#ServiceAccounts)
So far I'm getting an error 403 when requesting the cloud storage url.
Here's the code:
credentials = AppAssertionCredentials(scope='https://www.googleapis.com/auth/devstorage.read_write')
http = credentials.authorize(httplib2.Http(memcache))
service = discovery.build('storage', 'v1', http=http, developerKey='api_key_generated_from_the_dev_console')
bucket_name = app_identity.get_default_gcs_bucket_name()
# I'm planning to batch multiple requests, although there is just one in this example
batch = BatchHttpRequest()
# process_list_response outputs the exception if any
batch.add(service.objects().list(bucket=bucket_name), callback=process_list_response)
batch.execute(http=http)
Here's the log:
URL being requested: https://www.googleapis.com/discovery/v1/apis/storage/v1/rest?userIp=x.x.x.x
Attempting refresh to obtain initial access_token
URL being requested: https://www.googleapis.com/storage/v1/b/xxx.appspot.com/o?alt=json
HttpError 403 when requesting https://www.googleapis.com/storage/v1/b/xxx-dev.appspot.com/o?alt=json returned "Access Not Configured. Please use Google Developers Console to activate the API for your project."
Here's what I've done in the dev console:
- Google Cloud Storage and Google Cloud Storage JSON API are switched to ON.
- I created an API key which I use to build the service (is it necessary since I also use Oauth?)
- Under Permissions, I added a member for my app with the email xxx@appspot.gserviceaccount.com
How can I make this work?
Posting this as an answer as it seems that my edit (we work together) was silently rejected, and a comment is too limited. This is not an answer but that is expanding the question.
Simpler example with a single http request. It seems that the JSON API is simply not working outside the API explorer. The XML/REST API works and returns a list of files in the bucket.
credentials = AppAssertionCredentials(scope='https://www.googleapis.com/auth/devstorage.read_write')
http = credentials.authorize(httplib2.Http(memcache))
bucket_name = app_identity.get_default_gcs_bucket_name()
# This works (200 with list of files in the content)
request_url = 'http://commondatastorage.googleapis.com/' + bucket_name
response, content = http.request(request_url, method="GET")
# This doesn't work (403, Access not configured)
request_url = 'https://www.googleapis.com/storage/v1/b/' + bucket_name + '/o?alt=json'
response, content = http.request(request_url, method="GET")
# This doesn't work (403, Access not configured), the key and project id header seem useless.
request_url = 'https://www.googleapis.com/storage/v1/b/' + bucket_name + '/o?alt=json&key=' + API_KEY
response, content = http.request(request_url, method="GET", headers={'x-goog-project-id': PROJECT_ID})
Also, looking at the code of AppAssertionCredentials, we can see:
kwargs: optional keyword args, including:
service_account_id: service account id of the application. If None or
unspecified, the default service account for the app is used.
self.service_account_id = kwargs.get('service_account_id', None)
Passing anything as service_account_id argument results in an exception:
Traceback (most recent call last):
File "/base/data/home/apps/.../1.37.../backup.py", line 61, in get
response, content = http.request(request_url, method="GET")
File "/base/data/home/apps/.../1.377.../oauth2client/util.py", line 132, in positional_wrapper
return wrapped(*args, **kwargs)
File "/base/data/home/apps/.../1.37.../oauth2client/client.py", line 491, in new_request
self._refresh(request_orig)
File "/base/data/home/apps/.../1.37.../oauth2client/appengine.py", line 197, in _refresh
raise AccessTokenRefreshError(str(e))
AccessTokenRefreshError
I have tested to pass the value returned by app_identity.get_service_account_name()
, that doesn't work. (even though the documentation says it will use "the default service account for the app" if it is not set).
I have tested to pass the service account email found in the developer console that has the form: 3....-v0....@developer.gserviceaccount.com
. Same token exception.
So, why are we getting a 403 Access not configured when the Cloudstorage JSON API is clearly enabled under our api/services?
And why is passing a service_account_id to AppAssertionCredentials failing with a AccessTokenRefreshError?
Edit:
The solution was ridiculous: turn OFF the Google Cloud Storage API, and turn it back ON.
I assume that the app was a "legacy" app, and doing so made the last bullet point 12 work here: https://developers.google.com/appengine/docs/python/googlecloudstorageclient/activate
这篇关于来自GAE的云存储API请求 - 403访问未配置的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!