在本地使用Google Cloud Platform客户端库时如何确定身份验证方法 [英] How to determine authentication method while using Google Cloud Platform client libraries locally
问题描述
我目前能够运行使用 python客户端库(具体来说,我使用的是google-cloud-vision包).但是,我很好奇它是如何进行身份验证的.在我本地运行的python脚本中,我不提供任何身份验证信息.通过阅读以下文章,看来本地运行时进行身份验证的一种常用方法是将环境变量设置为.JSON密钥文件(即export GOOGLE_APPLICATION_CREDENTIALS = path/to/JSON/key/file)的路径,但是,我不记得这样做了,如果我运行printenv,但没有名为GOOGLE_APPLICATION_CREDENTIALS的环境变量.
I'm currently able to run a local python script that calls the Google vision API using the python client library (specifically, I'm using the google-cloud-vision package). However, I'm curious about how it's authenticating. In the python script that I'm running locally I do not provide any authentication information. From reading the below posts, it seems that a common way to authenticate when running locally is to set an environment variable to the path of a .JSON key file (i.e export GOOGLE_APPLICATION_CREDENTIALS = path/to/JSON/key/file), however, I don't recall doing this and if I run printenv, I do not have an environment variable called GOOGLE_APPLICATION_CREDENTIALS.
以下帖子提供了有关在本地使用客户端库进行身份验证的不同方法的详细信息,但是我如何才能查看/确定我的程序的身份验证方式?有没有办法查询这个?
The below posts provide great details about different ways to authenticate using the client libraries locally, but how can I see/determine exactly how my program is being authenticated? Is there a way to query for this?
对Cloud Vision API进行身份验证" ...包括上面页面的应用程序默认凭据" 部分
"Authenticating to the Cloud Vision API"...including the "Application Default Credentials" part of the above page
"Authenticating Applications With a Client Library" section of Creating and Enabling Service Accounts for Instances
<设置身份验证的
为您的应用程序提供凭据" 部分服务器到服务器的生产功能"页面
"Providing Credentials to Your Application" section of "Setting Up Authentication for Server to Server Production Capabilities" page
设置环境变量" 入门"部分带有身份验证"页面:
"Setting the Environment Variable" Section of "Getting Started With Authentication" page:
Python客户端库入门" 页:
Python client libraries "Getting Started" page:
推荐答案
There's 4 different ways for the request to be authenticated without creating a credentials object.
- 如果将环境变量GOOGLE_APPLICATION_CREDENTIALS设置为有效服务帐户JSON私钥文件的路径,则会使用它.
- 如果已安装Google Cloud SDK,并且应用程序默认凭据设置,然后使用它.请注意,如果您过去曾经执行过此步骤,它将保持有效. (我猜这是您当前用于认证的内容.)
- 如果应用程序在App Engine标准环境中运行,则使用来自App Identity Service的凭据和项目ID. (此处不适用,但出于完整性考虑,我将其列出.)
- 如果应用程序在Compute Engine或App Engine灵活环境中运行,则从元数据服务获取凭据和项目ID. (此处不适用,但出于完整性考虑,我也将其列出.)
- If the environment variable GOOGLE_APPLICATION_CREDENTIALS is set to the path of a valid service account JSON private key file, then it is used.
- If the Google Cloud SDK is installed and has application default credentials set then it is used. Note that if you've done this step once in the past, it will stay valid. (I'm guessing that this is what you're currently using to authenticate.)
- If the application is running in the App Engine Standard environment then the credentials and project ID from the App Identity Service are used. (Not applicable here but I'm listing it for completeness' sake.)
- If the application is running in Compute Engine or the App Engine flexible environment then the credentials and project ID are obtained from the Metadata Service. (Not applicable here but I'm listing it as well for completeness' sake.)
如果使用上述方法未找到凭据,则将引发DefaultCredentialsError.由于未收到此错误,并且没有设置#1中的环境变量,也没有选项#3& #4不适用,剩下的唯一选择是#2.
If no credentials are found using the methods above, DefaultCredentialsError will be raised. Since you're not getting this error, and you don't have the environment variable from #1 set, and options #3 & #4 are not applicable, the only option that remains is number #2.
以上信息可在 readthedocs.io上找到google-cloud身份验证页面的页面,更具体地说是
The above information can be found on the readthedocs.io page for the google-cloud Authentication page, and more specifically in the google.auth package page
您可以通过运行以下如果这不返回错误而是访问令牌,则表示已设置#2. 不要与任何人共享此令牌...
If this doesn't return an error but an access token, it means that #2 is set up. Don't share this token with anyone of course...
Some related information, you can check the token that was printed out with the command above here, or using the curl command below (paste the token at the end):
curl -i https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=
这不能完全回答您的问题,但是通过消除的过程,它应该是正确的...
This doesn't exactly answer your question, but by process of elimination it should be the correct one...
这篇关于在本地使用Google Cloud Platform客户端库时如何确定身份验证方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
