Python:如何使用特定用户而不是get_application_default()创建GoogleCredentials [英] Python: How can I create a GoogleCredentials using a specific user instead of get_application_default()
问题描述
我正在更新脚本以调用受OAuth2保护的Google Cloud端点.以前的版本假定单个用户先前已通过 gcloud auth login
进行了身份验证,因此能够使用默认值:
I'm updating a script to call OAuth2-protected Google Cloud endpoints. The previous version assumed a single user previously authenticated by gcloud auth login
and thus was able to use the default:
credentials = GoogleCredentials.get_application_default()
http = credentials.authorize(http)
但是,现在我必须以用户A的身份进行某些调用,并且以用户B的身份进行某些调用.我可以在Shell中执行以下步骤来生成访问令牌,但我希望直接在程序中进行操作:
However now I must do some calls as user A and some as user B. I can perform these steps in the shell to generate access tokens, but I would prefer to do it in the program directly:
gcloud auth login user_A@email.com
gcloud auth print-access-token user_A@email.com
有没有一种方法可以为两个不同的电子邮件生成两个 Credentials
值,而无需运行任何Shell命令?
Is there a way to generate two Credentials
values for two different emails without having to run any shell commands?
推荐答案
我的情况有些不同,但希望您可以找到与您的用例相同的情况.我正在使用服务帐户进行身份验证.
My case is a bit different but hopefully, you can find the equivalent for your use case. I'm using service accounts for authentication.
要成功进行身份验证,您需要三件事
You need 3 things for successful authentication
-
服务帐户文件.这是您创建服务帐户后获得的JSON文件
Service account file. This is the JSON file you get after creating a service account
范围.这指定您需要访问的Google API.就我而言,我需要访问Google Groups API.因此,我需要的范围是:" https://www.googleapis.com/auth/admin.directory.group "
SCOPES. This specifies which Google API you need to access. In my case I needed to access the Google Groups API. Hence the scope I needed was: "https://www.googleapis.com/auth/admin.directory.group"
您可以在此处找到所有范围的列表: https://developers.google.com/身份/协议/googlescopes
you can find the list of all scopes here: https://developers.google.com/identity/protocols/googlescopes
- 所需用户的电子邮件地址.这是您的服务帐户要模拟的用户的电子邮件地址(user_A@email.com).就我而言,我需要G Suite管理员的电子邮件,因为他们只能访问Google网上论坛.
以下是等效的Python代码:
Following is the equivalent Python code:
from google.oauth2 import service_account
from googleapiclient.discovery import build
SCOPES = ["https://www.googleapis.com/auth/admin.directory.group"]
SERVICE_ACCOUNT_FILE = "my-service-account.json"
credentials = service_account.Credentials.from_service_account_file(
SERVICE_ACCOUNT_FILE,
scopes=SCOPES,
subject="admin@example.com")
admin_service = build("admin", "directory_v1", credentials=credentials)
group = admin_service.groups().list(domain="example.com").execute()
print("groups list: ", group)
现在根据您的问题是否要模拟其他用户.然后您可以使用
Now according to your question if you want to impersonate some other user. Then you can use
new_user_email = "user2@example.com"
user2_credentials = credentials.with_subject(new_user_email)
new_service = build("admin", "directory_v1", credentials=user2_credentials)
# use this new_service to call required APIs
以下是使用python库服务帐户进行身份验证的文档链接: https://google-auth.readthedocs.io/en/latest/reference/google.oauth2.service_account.html
Here is the link to the docs for authentication using service accounts for python library: https://google-auth.readthedocs.io/en/latest/reference/google.oauth2.service_account.html
Here is the link of how the Oauth flow happens in general for service accounts: https://github.com/googleapis/google-api-python-client/blob/master/docs/oauth-server.md
我希望这对您有所帮助.
I hope this was of some help to you.
PS-这是我对Stack Overflow的第一个答案,所以请告诉我如何改善我的答案.
PS - This is my first answer on Stack Overflow, so please do tell me how I could've improved my answer.
这篇关于Python:如何使用特定用户而不是get_application_default()创建GoogleCredentials的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!