从 Google Cloud 函数访问 Google Drive API [英] Access Google Drive API from a Google Cloud function
问题描述
我已经看到有不同的 NodeJS 模块使用 Google API.访问与 Google Cloud 功能的服务帐号共享的文件的最佳做法是什么?
I've seen that there are different NodeJS modules that use Google APIs. What's the best practice to access files that are shared with the service account of a Google Cloud function?
推荐答案
我主要用 Python 开发,但它有一个和你提到的 Node 类似的问题:很多库 &有太多不同的代码示例.另一个问题是访问 G Suite API(如 Drive)与 GCP API 不同.(披露:我在 Google 工作,正在努力改善这种差异.)
I develop mainly with Python, but it has a similar problem as Node that you mentioned: lots of libraries & too many differing code samples out there. Another issue is that accessing G Suite APIs (like Drive) is different than GCP APIs. (DISCLOSURE: I work at Google and am trying to improve this discrepancy.)
服务帐户身份是从 GCF 访问 Drive API 的最佳方式.但是,您可以选择 Cloud Functions 的默认服务帐户身份(App Engine 应用程序相同),或者作为这里建议的另一个答案,用户管理的服务帐户.如果您计划拥有多个身份来做不同的事情、需要不同类型的访问等,后者是一个好主意,否则使用默认值会更容易,因为除了创建之外,您实际上不需要做任何其他事情该帐户的私钥对.
A service account identity is the best way to access the Drive API from GCF. However, you can choose either a Cloud Function's default service account identity (same for an App Engine app), or as another answer here suggested, a user-managed service account instead. The latter is a good idea if you're planning to have multiple identities that do different things, need differing types of access, etc., otherwise it's easier to use the default because you don't really have to do anything else other than create a private key-pair for that account.
一旦您决定了哪种类型的服务帐户,最好使用 Google用于 Node.js 的 API 客户端库,用于与 Drive、G Suite 和其他非 GCP Google API 通信.按照Drive API Node.js 快速入门教程了解如何";工作.由于云端硬盘文件通常属于用户帐户而不是服务帐户,因此快速入门中的身份验证示例具有 OAuth 客户端 ID(用户帐户)身份验证 而不是 服务帐户身份验证 提示用户(驱动器所有者)授予应用访问其数据的权限,所以不要只是剪切和粘贴!
Once you've decided on what type of service account, best to use the Google APIs Client Library for Node.js to talk to Drive, G Suite, and other non-GCP Google APIs. Follow the Drive API Node.js quickstart tutorial to learn how to "work it." Since Drive files typically belong to user accounts instead of service accounts, the auth example in the quickstart features OAuth client ID (user account) auth rather than service account auth to prompt the user (Drive owner) to give the app permission to access their data, so don't just cut-n-paste!
(如果您不使用 Cloud Functions,您可能正在使用 Web 应用程序或 cmd 行工具.在那种情况下,如果选择 user acct auth 而不是 service acct auth,结束- 用户 [云端硬盘文件所有者] 必须明确通过熟悉的OAuth 同意对话框,用于您的代码访问他们的文件.作为开发人员,您需要事先在 Cloud Console 中设置该 OAuth 同意屏幕.注意:该屏幕截图来自我的G Suite API 介绍教程 [Python]).
(If you're not using Cloud Functions, you're likely doing a web app or cmd-line tool. In that situation, if selecting user acct auth instead of service acct auth, end-users [Drive file owners] must explicitly grant permission via the familiar OAuth consent dialog for your code to access their files. As the developer, you'd need to setup that OAuth consent screen in the Cloud Console beforehand. NOTE: that screenshot was taken from my G Suite APIs intro tutorial [Python]).
从示例中复制必要的样板并将用户 acct auth 替换为服务帐户 auth.请参阅 Node.js 客户端库的服务帐户部分 有关如何操作的文档.不要忘记从 服务帐户页面及其应具有的任何角色/权限.创建密钥文件后,它会提示您下载密钥文件,然后使用您的函数上传该文件(除非您按照另一个答案中的建议使用 Secret Manager).通过使用客户端库,您可以避免将内容粘贴在请求标头中(也如另一个答案中所建议的那样).然而,如果那是 CI/CD 周期的一部分,则在任何情况下都不应将该密钥文件检入 Git;如果您的私钥被公开泄露/暴露... DOOM 将降临到您身上.
Copy the necessary boilerplate from the sample and replace the user acct auth with service account auth. See the service account section of the Node.js client library docs on how to do it. Don't forget to create a private key-pair for whichever service account you decide to use from the Service accounts page and any roles/permissions it should have. It'll prompt you to download the key file once it's created, and then upload that w/your function (unless you use Secret Manager as suggested in another answer). By using client libraries, you avoid having to stick things in request headers (also as suggested in another answer). However, under no circumstances should you check that key file into Git if that's part of your CI/CD cycle; if your private key gets leaked/exposed publicly... DOOM shall befall you.
这篇关于从 Google Cloud 函数访问 Google Drive API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
