从计算中拉队列授权 [英] pull queues authorization from compute
问题描述
我尝试从google计算中使用python从计算OAuth令牌访问拉队列
from oauth2client import gce
from apiclient.discovery import build
import httplib2
$ b credentials = gce.AppAssertionCredentials('')
http = httplib2.Http()
http = credentials.authorize(http)
credentials.refresh(http)
service = build('taskqueue','v1beta2',http = http)
tq = service.taskqueues()
tq.get(project = MY_APPENGINE_PROJECT,taskqueue = PULL_QUEUE_NAME,getStats = True).execute()
我一直在收到HttpError 403你不能让这个api调用
请帮忙,我缺少什么配置?
感谢,
Shay
更新:感谢@对于问这个问题,他遇到的问题不再是问题,因为我们已经允许别名在任务中工作(如果相关) Queue API。
对于后人来说,下面是原始答案:
-
忘记包含
s 〜
在您的App Engine项目中。例如,如果您的应用程序ID是my-awesome-app
,那么您正在调用tq.get(project ='my-awesome-app',taskqueue = PULL_QUEUE_NAME ...
当你应该打电话时
tq.get(project ='〜my-awesome-app',taskqueue = PULL_QUEUE_NAME ...
-
忘记将Compute服务帐户添加到 queue.yaml 中的https://developers.google.com/appengine/docs/python/config/queue#Defining_Pull_Queues\">任务队列ACL 。做到这一点,你需要获得与你的项目相关联的服务账户,并将它添加到
acl
:queue:
- name:pull-queue
mode:pull
acl:
- writer_email:123845678986@project.gserviceaccount.com#can do所有
当然这意味着
PULL_QUEUE_NAME ='pull-queue'
here。另请注意,123845678986 @ project.gserviceaccount.com
应该替换为Compute Engine实例的服务帐户。
I'm trying to access a pull queue from google compute with the compute OAuth token using python
from oauth2client import gce
from apiclient.discovery import build
import httplib2
credentials = gce.AppAssertionCredentials('')
http = httplib2.Http()
http=credentials.authorize(http)
credentials.refresh(http)
service = build('taskqueue', 'v1beta2', http=http)
tq=service.taskqueues()
tq.get(project=MY_APPENGINE_PROJECT, taskqueue=PULL_QUEUE_NAME, getStats=True).execute()
I keep getting HttpError 403 "you are not allowed to make this api call"
please help, what configure have I missing?
thanks, Shay
UPDATE: Thanks to @Shay for asking this question, the issue he encountered is no longer an issue, as we have allowed aliases to work (when relevant) in the Task Queue API.
For posterity here is the original answer below:
Two of the most common mistakes I have seen are:
Forgetting to include the
s~
in your App Engine Project. For example, if your application ID ismy-awesome-app
, then you are callingtq.get(project='my-awesome-app', taskqueue=PULL_QUEUE_NAME...
when you should be calling
tq.get(project='s~my-awesome-app', taskqueue=PULL_QUEUE_NAME...
Forgetting to add the Compute service account to the task queue ACL in
queue.yaml
. To do this, you need to get the service account associated with your project and add it to theacl
:queue: - name: pull-queue mode: pull acl: - writer_email: 123845678986@project.gserviceaccount.com # can do all
and of course this would mean
PULL_QUEUE_NAME = 'pull-queue'
here. Also note,123845678986@project.gserviceaccount.com
should be replaced with the service account for your Compute Engine instance.
这篇关于从计算中拉队列授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!