通过Python中的服务帐户访问Google Cloud Storage的权限 [英] Permission to Google Cloud Storage via service account in Python

问题描述

我正在尝试获取一个服务帐户以在Google Cloud Storage中创建Blob 从Python脚本中获取，但是我的凭据有问题.

I am trying to get a service account to create blobs in Google Cloud Storage from within a Python script, but I am having issues with the credentials.

1)我为我的项目创建服务帐户，然后将密钥文件下载到json中:

1) I create the service account for my project and then download the key file in json:

"home/user/.config/gcloud/service_admin.json"

2)我为服务帐户提供了必要的凭据(通过子进程中的gcloud)

2) I give the service account the necessary credentials (via gcloud in a subprocess)

 roles/viewer, roles/storage.admin,  roles/resourcemanager.projectCreator, roles/billing.user

然后我想访问GCS中的存储桶

Then I would like to access a bucket in GCS

from google.cloud import storage
import google.auth

credentials, project = google.auth.default()
client = storage.Client('myproject', credentials=credentials)
bucket = client.get_bucket('my_bucket')

不幸的是，这导致:

google.api_core.exceptions.Forbidden: 403 GET
https://www.googleapis.com/storage/v1/b/my_bucket?projection=noAcl:
s_account@myproject.iam.gserviceaccount.com does not have
storage.buckets.get access to my_bucket

如果我设置了环境变量，我的运气会更好

I have somewhat better luck if I set the environment variable

export GOOGLE_APPLICATION_CREDENTIALS="home/user/.config/gcloud/service_admin.json"

并重新运行脚本.但是，我希望它们全部在脚本的一个实例中运行，该脚本创建帐户并继续在存储桶中创建必要的文件.如果我知道JSON凭证文件在哪里，如何访问my_bucket.

and rerun the script. However, I want it all to run in one single instance of the script that creates the accounts and continues to create the necessary files in the buckets. How can I access my_bucket if I know where my json credential file is.

推荐答案

从通过这种方式，您可以直接在代码中指向包含服务帐户密钥的文件.

This way you point the file containing the key of the Service Account directly in your code.

这篇关于通过Python中的服务帐户访问Google Cloud Storage的权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！