通过Google Cloud函数访问Google Drive API [英] Access Google Drive API from a Google Cloud function
问题描述
我已经看到有使用Google API的不同NodeJS模块. 访问与Google Cloud功能的服务帐户共享的文件的最佳实践是什么?
I've seen that there are different NodeJS modules that use Google APIs. What's the best practice to access files that are shared with the service account of a Google Cloud function?
推荐答案
我主要是使用Python开发的,但它与您提到的Node有类似的问题:很多库&那里有太多不同的代码样本.另一个问题是,访问G Suite API(例如Drive)不同于GCP API. (免责声明:我在Google工作,并试图改善这种差异.)
I develop mainly with Python, but it has a similar problem as Node that you mentioned: lots of libraries & too many differing code samples out there. Another issue is that accessing G Suite APIs (like Drive) is different than GCP APIs. (DISCLAIMER: I work at Google and trying to improve this discrepancy.)
服务帐户标识是从GCF访问 Drive API 的最佳方法.但是,您可以选择Cloud Function的默认服务帐户身份(同样适用于App Engine应用程序),或者作为此处建议的另一个答案,是用户管理的服务帐户.如果您打算拥有执行不同任务,需要不同访问类型等的多个身份,则后者是个好主意,否则,使用默认值会更容易,因为除了创建之外,您实际上不需要执行任何其他操作该帐户的私钥对.
A service account identity is the best way to access the Drive API from GCF. However, you can choose either a Cloud Function's default service account identity (same for an App Engine app), or as another answer here suggested, a user-managed service account instead. The latter is a good idea if you're planning to have multiple identities that do different things, need differing types of access, etc., otherwise it's easier to use the default because you don't really have to do anything else other than create a private key-pair for that account.
确定了哪种服务帐户后,最好使用 Google用于与Drive,G Suite和其他 non-GCP Google API进行对话的Node.js的API客户端库.请遵循 Drive API Node.js快速入门教程,以了解如何";工作吧."由于云端硬盘文件通常属于用户帐户而不是服务帐户,因此快速入门中的auth示例具有
Once you've decided on what type of service account, best to use the Google APIs Client Library for Node.js to talk to Drive, G Suite, and other non-GCP Google APIs. Follow the Drive API Node.js quickstart tutorial to learn how to "work it." Since Drive files typically belong to user accounts instead of service accounts, the auth example in the quickstart features OAuth client ID (user account) auth rather than service account auth to prompt the user (Drive owner) to give the app permission to access their data, so don't just cut-n-paste!
((如果您不使用Cloud Functions,则可能正在使用Web应用程序或cmd-line工具.在那情况下,如果选择用户acct auth而不是服务acct auth,则结束-用户[驱动器文件所有者]必须通过熟悉的事先在Cloud Console中设置OAuth同意屏幕. G Suite API入门教程 [Python]).
(If you're not using Cloud Functions, you're likely doing a web app or cmd-line tool. In that situation, if selecting user acct auth instead of service acct auth, end-users [Drive file owners] must explicitly grant permission via the familiar OAuth consent dialog for your code to access their files. As the developer, you'd need to setup that OAuth consent screen in the Cloud Console beforehand. NOTE: that screenshot was taken from my G Suite APIs intro tutorial [Python]).
从样本中复制必要的样板,并将用户acct auth替换为服务帐户auth.请参阅Node.js客户端库的服务帐户部分有关如何执行操作的文档.不要忘记为服务帐户页面及其应具有的所有角色/权限.创建密钥文件后,它会提示您下载密钥文件,然后上传带有您的功能的密钥文件(除非您按照其他答案中的建议使用Secret Manager).通过使用客户端库,您可以避免将内容粘贴在请求标头中(也请参见另一个答案中的建议). 但是,如果这是您的CI/CD周期的一部分,则在任何情况下都不应将该密钥文件检入Git;如果您的私钥被泄露/公开... DOOM将降临在您身上.
Copy the necessary boilerplate from the sample and replace the user acct auth with service account auth. See the service account section of the Node.js client library docs on how to do it. Don't forget to create a private key-pair for whichever service account you decide to use from the Service accounts page and any roles/permissions it should have. It'll prompt you to download the key file once it's created, and then upload that w/your function (unless you use Secret Manager as suggested in another answer). By using client libraries, you avoid having to stick things in request headers (also as suggested in another answer). However, under no circumstances should you check that key file into Git if that's part of your CI/CD cycle; if your private key gets leaked/exposed publicly... DOOM shall befall you.
这篇关于通过Google Cloud函数访问Google Drive API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
