IAM服务帐户密钥与Google凭据文件 [英] IAM Service Account Key vs Google Credentials File
问题描述
我正在编写代码以生成和下载Google Cloud服务帐户的私钥.
I'm writing code to generate and download a private key for a Google Cloud service account.
使用IAM API,我能够创建服务帐户,以及我对生成密钥的调用似乎有效.我得到了 IAM API中所述的服务帐户密钥创建密钥页,例如
Using the IAM API, I was able to create a service account, and my call to generate a key seems to be working. I get back a Service Account Key as described on the IAM API create key page, like
{
"privateKeyType": "TYPE_GOOGLE_CREDENTIALS_FILE",
"privateKeyData": "random-key-stringkajdkjakjfke", ...
}
我下载了此文件作为JSON响应,并尝试对其进行身份验证:
I downloaded this file as a JSON response and am trying to authenticate with it:
gcloud auth activate-service-account --key-file=service-account-key-file.json
不幸的是,我收到一条错误消息,指出
The .json key file is not in a valid format.
Unfortunately, I get an error stating
The .json key file is not in a valid format.
当我浏览Google Cloud Console流程时(IAM& Admin->服务帐户-> ...->创建密钥->创建),我得到了一个下载的JSON文件,看起来像
When I go though the Google Cloud Console flow (IAM & Admin -> Service accounts -> ... -> Create Key -> Create) I get a downloaded JSON file that looks like
{
"type": "service_account",
"private_key": "----BEGIN-PRIVATE-KEY-----",
"auth_uri": "https://gaiastaging.corp.google.com/o/oauth2/auth",
}
此文件看起来与IAM API的响应完全不同.解释我的错误!不幸的是,这种格式似乎没有在任何地方描述.在某些文档中已简要提及.它是Google凭据文件吗?
This file looks completely different than the response from the IAM API. Explains my error! Unfortunately, this format doesn't seem to be described anywhere. It's mentioned briefly in some docs. Is it a Google Credentials File?
我想获取IAM响应文件/JSON,并将其转换为第二个凭证文件.我尝试编写一些代码来对其进行转换,但是有些我不理解的字段,例如"auth_provider_x509_cert_url".
I'd like to take the IAM response file/JSON and convert it to the second credentials file. I've tried writing some code to convert it, but there are some fields like "auth_provider_x509_cert_url" that I don't understand.
也许转换文件也是错误的方法?更普遍地:
Perhaps converting the file is the wrong approach as well? More generally:
如何生成文件,然后使用该文件通过gcloud进行身份验证?
How can I generate a file and then use it to authenticate with gcloud?
我应该如何描述/区分以上两个文件?为什么每种类型的文件都有用?
How should I describe/distinguish between both of the above files? Why is each type of file useful?
推荐答案
关于两个文件:
Google凭据文件和服务帐户凭据文件是同一件事-它们都是我从Google Cloud Console页面下载的第二类文件.它们上没有很棒的官方文档页面,但是引用很多.可能还有应用程序默认凭据.
A Google Credentials file and a Service Account Credentials file are the same thing - they're both the second type of file that I downloaded off the Google Cloud Console page. No great official docs pages on them, but they're referenced a lot. Probably also Application Default Credentials.
IAM create调用的JSON响应-这只是对API调用的响应.除了与您的应用程序代码一起解析外,它没有用.
The JSON response from the IAM create call - this is just a response to an API call. It's not useful outside of parsing it with your application code.
要生成Google凭据文件,请执行以下操作:
To generate a Google Credentials file:
在对IAM创建的JSON响应中,有一个字段privateKeyData.此字段实际上包含整个Google凭据文件.它只是编码为base64字符串.我刚从HTML下载文件,
In the JSON response to the IAM create, there's a field privateKeyData. This field actually contains the entire Google Credentials file. It's just encoded as a base64 string. I just downloaded the file from HTML as
<a href="data:attachment/json;base64;charset=utf-8,THAT-LONG-privateKeyData-base64-string-here" download="service-account-key.json">
Download key
</a>
或者,如果您只是想快速确认它包含所有信息,请复制粘贴base64 privateKeyData字段到文件google-credentials中,并使用以下命令对其进行解码(在Linux上):
Or if you just want to confirm that it contains all the information quickly, copy paste the base64 privateKeyData field into a file google-credentials and decode it (on Linux) with:
base64 -d google-credentials
然后我就可以跑步
gcloud auth activate-service-account --key-file=google-credentials.json
得到
Activated service account credentials for: [service-account-id@project-id.iam.gserviceaccount.com]
这篇关于IAM服务帐户密钥与Google凭据文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
