我可以同时使用服务帐户和用户凭据对gcloud cli进行身份验证吗? [英] Can I authenticate gcloud cli using both service account and user credentials?

问题描述

Google API客户端通常可以识别GOOGLE_APPLICATION_CREDENTIALS环境变量.如果找到，则期望它指向带有服务帐户或用户凭据的JSON文件.

Google API clients typically recognise the GOOGLE_APPLICATION_CREDENTIALS environment variable. If found, it's expected to point to a JSON file with credentials for either a service account or a user.

可以从GCP网络控制台下载服务帐户凭据，如下所示:

Service account credentials can be downloaded from the GCP web console and look like this:

{
  "type": "service_account",
  "project_id": "...",
  "private_key_id": "...",
  "private_key": "...",
  "client_email": "...",
  "client_id": "...",
  "auth_uri": "...",
  "token_uri": "...",
  "auth_provider_x509_cert_url": "...",
  "client_x509_cert_url": "..."
}

用户凭据通常在~/.config/gcloud/application_default_credentials.json中可用，其外观类似于:

User credentials are often available in ~/.config/gcloud/application_default_credentials.json and look something like:

{
  "client_id": "...",
  "client_secret": "...",
  "refresh_token": "...",
  "type": "authorized_user"
}

以下是Google官方rubygem 检测通过环境var 提供的凭据的类型.

Here's an example of the official google rubygem detecting the type of credentials provided via the environment var.

我想使用两种凭证对未配置的gcloud安装进行身份验证.在我们的例子中，我们碰巧将GOOGLE_APPLICATION_CREDENTIALS变量和路径传递到Docker容器中，但是我认为这对于在docker外部进行全新安装也是一个有效的问题.

I'd like to authenticate an unconfigured gcloud install with both types of credential. In our case we happen to be passing the GOOGLE_APPLICATION_CREDENTIALS variable and path into a docker container, but I think this is a valid question for clean installs outside docker too.

如果凭据文件是服务帐户类型，则可以执行以下操作:

If the credentials file is a service account type, I can do this:

gcloud auth activate-service-account --key-file=${GOOGLE_APPLICATION_CREDENTIALS}

但是，我看不到任何方法来处理凭据属于真实用户的情况.

However I can't see any way to handle the case where the credentials belong to a real user.

问题:

1. 为什么正式的gcloud工具不遵循其他google API客户端使用的约定，并在可用的情况下使用GOOGLE_APPLICATION_CREDENTIALS?
2. 是否有一个隐藏的方法可以激活用户凭证的情况?

推荐答案

当GOOGLE_APPLICATION_CREDENTIALS指向具有用户凭据而非服务帐户凭据的文件时，我发现了一种对新gcloud进行身份验证的方法.

I've found a way to authenticate a fresh gcloud when GOOGLE_APPLICATION_CREDENTIALS points to a file with user credentials rather than service account credentials.

cat ${GOOGLE_APPLICATION_CREDENTIALS}
{
 "client_id": "aaa",
 "client_secret": "bbb",
 "refresh_token": "ccc",
 "type": "authorized_user"
}

gcloud config set auth/client_id aaa                                                                                             
gcloud config set auth/client_secret bbb                                                                                     
gcloud auth activate-refresh-token user ccc

这使用了未记录的auth activate-refresh-token子命令-这不是理想选择-但确实可以.

This uses the undocumented auth activate-refresh-token subcommand - which isn't ideal - but it does work.

与gcloud auth activate-service-account --key-file=credentials.json配对，这使得可以初始化gcloud，而与$GOOGLE_APPLICATION_CREDENTIALS

Paired with gcloud auth activate-service-account --key-file=credentials.json, this makes it possible to initialize gcloud regardless of the credential type available at $GOOGLE_APPLICATION_CREDENTIALS

这篇关于我可以同时使用服务帐户和用户凭据对gcloud cli进行身份验证吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！