使用服务帐户访问Google经销商API [英] Accessing Google Reseller API using Service Accounts
问题描述
我们在使用服务帐户访问转销商API时遇到问题。
客户机密的例子运行良好,但是我们需要在k8s(Kubernetes Engine)中部署它,而不需要重复刷新oauth会话(特别是这样做一次,因为它有点难Docker容器)。
虽然有很多关于如何使用python执行此操作的文档,但我们无法找到任何使用服务帐户访问的方式。
我们尝试了两个账户,一个是我们的用例直接创建的默认计算引擎。
都在G Suite中获得了转销商范围。
https://www.googleapis.com/auth/apps .order,
https://www.googleapis.com/auth/admin.directory.user,
https://www.googleapis.com/auth/siteverification,
我们继续收到googleapi:错误403:经过身份验证的用户无权执行此操作。 错误虽然使用
客户端,err = google.DefaultClient(ctx,reseller.AppsOrderScope)
if err!= nil {
log.Fatal(创建oauth客户端失败,zap.Error(err))
}
subs,err:= client.Subscriptions.List ().Do()
if err!= nil {
log.Fatal(列出订阅失败,zap.Error(err))
}
我在StackOverflow上阅读了一篇文章,认为经销商API需要用户模仿,但在Google和oauth2以及客户端库回收站没有导致这样做的方式。
Python在端到端教程中的描述如下:
$ p code credentials = ServiceAccountCredentials.from_json_keyfile_name(
JSON_PRIVATE_KEY_FILE,
OAUTH2_SCOPES).create_delegated(RESELLER_ADMIN_USER)
但是对于Go我找不到任何记录的方式。
这里有几点:$ b
$ b
- 使用服务帐户时,代理商API只需要模拟/域范围委派。换句话说,服务帐户本身无权直接调用API,但它有能力模拟有权调用经销商API的经销商用户(例如admin@reseller.example.com等)。 li>
- 您可以使用常规的三方OAuth 而不是服务帐户。您只需确保您请求脱机访问,以便获得长期存在的刷新令牌。
- 模拟/域范围委派与内置的默认服务帐户不兼容到AppEngine和ComputeEngine。您必须使用您在API项目中创建的服务帐户。
查看 Google提供的示例让您获得您需要的地方。
We are having issues accessing the reseller api using service accounts. The example with client secrets work well, but we would need to deploy this in k8s (Kubernetes Engine) without the need to refresh the oauth session on a recurring basis (especially doing this once, as it is kinda hard in a docker container).
While there is a lot of documentation on how to do this with python we could not find any way of getting access using a service account.
We tried two accounts, the default compute engine one and one created directly for our use case. Both got the reseller scope in G Suite.
https://www.googleapis.com/auth/apps.order,
https://www.googleapis.com/auth/admin.directory.user,
https://www.googleapis.com/auth/siteverification,
We keep getting "googleapi: Error 403: Authenticated user is not authorized to perform this action., insufficientPermissions" errors though when using
client, err = google.DefaultClient(ctx, reseller.AppsOrderScope)
if err != nil {
log.Fatal("creating oauth client failed", zap.Error(err))
}
subs, err := client.Subscriptions.List().Do()
if err != nil {
log.Fatal("listing subscriptions failed", zap.Error(err))
}
I read on a post on StackOverflow, that the Reseller API requires user impersonation but searching on this throughout Google and the oauth2 and client lib repos did not result in a way to do this. Python does this like described in the End-to-End Tutorial
credentials = ServiceAccountCredentials.from_json_keyfile_name(
JSON_PRIVATE_KEY_FILE,
OAUTH2_SCOPES).create_delegated(RESELLER_ADMIN_USER)
but for Go i could not find any documented way of doing this.
So few points here:
- Reseller API only requires impersonation / domain-wide delegation when using a service account. In other words, the service account itself has no rights to call the API directly but it does have the ability to impersonate a reseller user (e.g. admin@reseller.example.com or such) who has rights to call the Reseller API.
- You may be able to use regular 3-legged OAuth instead of a service account. You just need to make sure you request offline access so that you get a refresh token that is long lived.
- Impersonation / domain-wide delegation is not compatible with the default service accounts built-in to AppEngine and ComputeEngine. You must use a service account you created in your API project.
See if the samples Google provides get you where you need to be.
这篇关于使用服务帐户访问Google经销商API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
