使用Workload Identity在Kubernetes上的Cloud ML Engine中的容器中对独立gsutil进行身份验证 [英] Authenticating standalone gsutil in containers in Cloud ML Engine on Kubernetes with Workload Identity
问题描述
我正在Google Cloud AI培训(Cloud ML Engine)上启动容器映像
I'm launching container images on Google Cloud AI Training (Cloud ML Engine)
在这些容器中,我需要使用gsutil. 一些容器具有gsutil.在那种情况下,我可以立即使用它而无需任何身份验证步骤.
Inside those containers I need to use gsutil. Some containers have gsutil. In that case I can use it right away without any authentication steps.
某些容器没有gsutil,因此我必须安装它. 问题在于已安装的gsutil无法正常工作.
Some containers do not have gsutil, so I have to install it. The problem is that the installed gsutil does not work.
当我使用官方的cloud-sdk图像时,gsutil可以正常运行而无需任何身份验证步骤.
When I'm using the official cloud-sdk image, gsutil works without any auth steps.
当我使用python:3.7映像并从PyPI安装gsutil时,它不起作用:
When I use the python:3.7 image and install gsutil from PyPI it does not work:
python -m pip install gsutil --quiet
gsutil cp a gs://b/c
ServiceException:401匿名调用者没有storage.objects.get访问...
ServiceException: 401 Anonymous caller does not have storage.objects.get access to ...
如何使独立的gsutil获得所需的凭据?
How can I make it so that the standalone gsutil obtains the needed credentials?
大多数指南的重点是手动调用gcloud auth,复制URL和复制回令牌.这不是我寻求的解决方案(应该是自动化的).我知道自动解决方案是可行的,因为在某些图像中gsutil是开箱即用的.
Most guides focus on manually calling gcloud auth, copying URL and copying back the token. This is not the solution that I seek (which should be automated). I know that the automated solution is possible since in some images gsutil works out of the box.
推荐答案
这是因为仅pip install gsutil不会配置凭据,这就是错误提示所指的匿名用户的原因.您将需要配置凭据以访问受保护的数据.
This is because that pip install gsutil alone does not configure the credentials, which is why it's anonymous user as the error says. You'll want to configure credentials to access protected data.
将以下行放入您的docker文件中,它应该可以工作:
Put following line in your docker file and it should work:
RUN echo'[GoogleCompute] \ nservice_account =默认'>/etc/boto.cfg
RUN echo '[GoogleCompute]\nservice_account = default' > /etc/boto.cfg
将gsutil配置为使用默认服务帐户.
It's to configure gsutil to use the default service account.
这篇关于使用Workload Identity在Kubernetes上的Cloud ML Engine中的容器中对独立gsutil进行身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
