我可以同时使用服务帐户和用户凭据对gcloud cli进行身份验证吗? [英] Can I authenticate gcloud cli using both service account and user credentials?
问题描述
Google API客户端通常可以识别GOOGLE_APPLICATION_CREDENTIALS
环境变量.如果找到,则期望它指向带有服务帐户或用户凭据的JSON文件.
Google API clients typically recognise the GOOGLE_APPLICATION_CREDENTIALS
environment variable. If found, it's expected to point to a JSON file with credentials for either a service account or a user.
可以从GCP网络控制台下载服务帐户凭据,如下所示:
Service account credentials can be downloaded from the GCP web console and look like this:
{
"type": "service_account",
"project_id": "...",
"private_key_id": "...",
"private_key": "...",
"client_email": "...",
"client_id": "...",
"auth_uri": "...",
"token_uri": "...",
"auth_provider_x509_cert_url": "...",
"client_x509_cert_url": "..."
}
用户凭据通常在~/.config/gcloud/application_default_credentials.json
中可用,其外观类似于:
User credentials are often available in ~/.config/gcloud/application_default_credentials.json
and look something like:
{
"client_id": "...",
"client_secret": "...",
"refresh_token": "...",
"type": "authorized_user"
}
以下是Google官方rubygem 检测通过环境var 提供的凭据的类型.
Here's an example of the official google rubygem detecting the type of credentials provided via the environment var.
我想使用两种凭证对未配置的gcloud安装进行身份验证.在我们的例子中,我们碰巧将GOOGLE_APPLICATION_CREDENTIALS
变量和路径传递到Docker容器中,但是我认为这对于在docker外部进行全新安装也是一个有效的问题.
I'd like to authenticate an unconfigured gcloud install with both types of credential. In our case we happen to be passing the GOOGLE_APPLICATION_CREDENTIALS
variable and path into a docker container, but I think this is a valid question for clean installs outside docker too.
如果凭据文件是服务帐户类型,则可以执行以下操作:
If the credentials file is a service account type, I can do this:
gcloud auth activate-service-account --key-file=${GOOGLE_APPLICATION_CREDENTIALS}
但是,我看不到任何方法来处理凭据属于真实用户的情况.
However I can't see any way to handle the case where the credentials belong to a real user.
问题:
- 为什么正式的gcloud工具不遵循其他google API客户端使用的约定,并在可用的情况下使用
GOOGLE_APPLICATION_CREDENTIALS
? - 是否有一个隐藏的方法可以激活用户凭证的情况?
推荐答案
当GOOGLE_APPLICATION_CREDENTIALS
指向具有用户凭据而非服务帐户凭据的文件时,我发现了一种对新gcloud进行身份验证的方法.
I've found a way to authenticate a fresh gcloud when GOOGLE_APPLICATION_CREDENTIALS
points to a file with user credentials rather than service account credentials.
cat ${GOOGLE_APPLICATION_CREDENTIALS}
{
"client_id": "aaa",
"client_secret": "bbb",
"refresh_token": "ccc",
"type": "authorized_user"
}
gcloud config set auth/client_id aaa
gcloud config set auth/client_secret bbb
gcloud auth activate-refresh-token user ccc
这使用了未记录的auth activate-refresh-token
子命令-这不是理想选择-但确实可以.
This uses the undocumented auth activate-refresh-token
subcommand - which isn't ideal - but it does work.
与gcloud auth activate-service-account --key-file=credentials.json
配对,这使得可以初始化gcloud,而与$GOOGLE_APPLICATION_CREDENTIALS
Paired with gcloud auth activate-service-account --key-file=credentials.json
, this makes it possible to initialize gcloud regardless of the credential type available at $GOOGLE_APPLICATION_CREDENTIALS
这篇关于我可以同时使用服务帐户和用户凭据对gcloud cli进行身份验证吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!