Google Compute Engine VM上的gsutil无法将服务帐户身份验证与密钥文件一起使用 [英] gsutil on a Google Compute Engine VM can't use service account authentication with a key file

问题描述

我正在从google .net API启动实例，尽管我已尽力而为，但我无法将其复制到存储中或从存储中复制任何内容.目前，我正在使用这样的开发者控制台服务帐户进行身份验证:-

I'm launching an instance from the google .net API and despite my best efforts I can't get it to copy anything to or from storage. Currently I'm authenticating with a developer console service account like this:-

string ServiceAccountEmail = "blahblah@developer.gserviceaccount.com";

var certificate = new X509Certificate2(@"key.p12", "notasecret", X509KeyStorageFlags.Exportable);

ServiceAccountCredential credential = new ServiceAccountCredential(
    new ServiceAccountCredential.Initializer(ServiceAccountEmail)
    {
        Scopes = new[] { ComputeService.Scope.Compute, ComputeService.Scope.DevstorageFullControl }
    }.FromCertificate(certificate));

var cs = new ComputeService(new BaseClientService.Initializer
{
    ApplicationName = "appname",
    HttpClientInitializer = (Google.Apis.Http.IConfigurableHttpClientInitializer)credential,
});


Google.Apis.Compute.v1.Data.Instance newinst = new Google.Apis.Compute.v1.Data.Instance();
newinst.Name = "generatedinstance";
newinst.MachineType = "https://www.googleapis.com/compute/v1/projects/projectid/zones/zone/machineTypes/n1-standard-1";

Google.Apis.Compute.v1.Data.AttachedDisk ad = new Google.Apis.Compute.v1.Data.AttachedDisk();
ad.AutoDelete = true;
ad.Boot = true;
ad.Type = "PERSISTENT";
ad.InitializeParams = new Google.Apis.Compute.v1.Data.AttachedDiskInitializeParams();
ad.InitializeParams.DiskName = "newdisk";
ad.InitializeParams.SourceImage = "https://www.googleapis.com/compute/v1/projects/projectid/global/images/customimage";
ad.InitializeParams.DiskType = "https://www.googleapis.com/compute/v1/projects/projectid/zones/zone/diskTypes/pd-standard";
ad.Mode = "READ_WRITE";
newinst.Disks = new List<Google.Apis.Compute.v1.Data.AttachedDisk>();
newinst.Disks.Add(ad);

Google.Apis.Compute.v1.Data.NetworkInterface ni = new Google.Apis.Compute.v1.Data.NetworkInterface();
ni.Network = "https://www.googleapis.com/compute/v1/projects/projectid/global/networks/default";
ni.AccessConfigs = new List<Google.Apis.Compute.v1.Data.AccessConfig>();
ni.AccessConfigs.Add(new Google.Apis.Compute.v1.Data.AccessConfig
{
    Type = "ONE_TO_ONE_NAT",
    Name = "External NAT",
});
newinst.NetworkInterfaces = new List<Google.Apis.Compute.v1.Data.NetworkInterface>();
newinst.NetworkInterfaces.Add(ni);
var start = new Google.Apis.Compute.v1.Data.Metadata.ItemsData();
start.Key = "startup-script";
start.Value = "*startup script* includes gsutil cp which won't work without service account attached";
newinst.Metadata = new Google.Apis.Compute.v1.Data.Metadata();
newinst.Metadata.Kind = "compute#metadata";
newinst.Metadata.Items = new List<Google.Apis.Compute.v1.Data.Metadata.ItemsData>();
newinst.Metadata.Items.Add(start);
newinst.ServiceAccounts = new List<Google.Apis.Compute.v1.Data.ServiceAccount>();

//var sa = new Google.Apis.Compute.v1.Data.ServiceAccount();|with this section
//sa.Email = "blahblah@developer.gserviceaccount.com";      |the instance won't
//sa.Scopes = new[] { ComputeService.Scope.Compute,         |start. (An equivalent
    ComputeService.Scope.DevstorageFullControl };           |is found in instance
//newinst.ServiceAccounts.Add(sa);                          |start REST request)

var instinsert = new InstancesResource.InsertRequest(cs, newinst, "projectid", "zone");
var insertresponse = instinsert.Execute();

当我尝试使用gsutil cp时收到的消息是您当前没有选择活动帐户." .谁能告诉我我要去哪里错了?

The message I get when I try to use gsutil cp is "You do not currently have an active account selected.". Can anyone tell me where I'm going wrong?

推荐答案

好！问题解决了.我弄错的部分是问题中的注释-

OKAY! Problem solved. The part I was getting wrong was the bit commented out in the question-

var sa = new Google.Apis.Compute.v1.Data.ServiceAccount();
sa.Email = "blahblah@developer.gserviceaccount.com";
sa.Scopes = new[] { ComputeService.Scope.Compute,
    ComputeService.Scope.DevstorageFullControl };
newinst.ServiceAccounts.Add(sa);

在本部分中，我需要用于开发者控制台的主要服务帐户的电子邮件，而不是用于创建凭据的相同服务帐户，但不要问我为什么.关键是实例启动，现在gsutil很高兴复制了.
感谢您的宝贵时间，并为大家提供帮助！
罗斯

I needed the email for the main service account for the developer console in this section rather than the same service account I used to create the credentials but don't ask me why. Point is the instance launches and gsutil is now happily copying away.
Thanks for your time and help everyone!
Ross

这篇关于Google Compute Engine VM上的gsutil无法将服务帐户身份验证与密钥文件一起使用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！