Appengine Flex服务帐户访问Drive文件夹的权限不足 [英] Insufficient Permission with Appengine Flex service account to access Drive folder
问题描述
$ b
凭证= GoogleCredentials \
.get_application_default()\
.create_scoped('https://www.googleapis.com/auth/drive')
drive = discovery.build(
'drive',
'v3',
http = self.credentials.authorize(Http())
)
drive.files()\
.get(fileId = file_id)\
.execute()
本地使用面板生成的服务帐户,但是当我部署应用程序时,AppEngine灵活环境中的服务帐户出现问题。
17 :15:04.000 /env/lib/python3.4/site-packages/oauth2client/contrib/gce.py:99:UserWarning:您已请求显式范围与GCE服务帐户配合使用。
17:15:04.000使用此参数将不会影响令牌
17:15:04.000请求的实际范围。这些作用域在VM实例创建时设置,
17:15:04.000不能在请求中被覆盖。
17:15:04.000
17:15:04.000 warnings.warn(_SCOPES_WARNING)
17:15:04.000信息:googleapiclient.discovery:请求的URL:GET https:// www。 googleapis.com/discovery/v1/apis/drive/v3/rest
17:15:04.000信息:oauth2client.client:尝试刷新以获取初始access_token
17:15:04.000信息:googleapiclient.discovery :请求的URL:GET https://www.googleapis.com/drive/v3/files/0B0Kn....M1pBNFE?alt=json
17:15:04.000错误:root:无法检索文件0B0K .... M1pBNFE。是否与我分享? project-id@appspot.gserviceaccount.com
17:15:04.000追溯(最近一次调用最后):
17:15:04.000文件/home/vmagent/app/script.py,行45,获得
17:15:04.000 .execute()
17:15:04.000文件/env/lib/python3.4/site-packages/oauth2client/util.py,第135行,位于locations_wrapper
17:15:04.000返回包装(* args,** kwargs)
17:15:04.000文件/env/lib/python3.4/site-packages/googleapiclient/http。 py,第760行,执行
17:15:04.000引发HttpError(resp,content,uri = self.uri)
17:15:04.000 googleapiclient.errors.HttpError:< HttpError 403 when请求https://www.googleapis.com/drive/v3/files/0B0Kn....M1pBNFE?alt=json返回权限不足>
我已经检查了权限,他们都已设置。这个问题可能是由于使用这个参数不起作用...的消息,当试图创建范围证书时出现。 解决方案
正如您在之前的评论中提到的,这是已知问题。如 araf ... @ google.com 所述,似乎灵活环境中的App Engine实例会将uderlying GCE虚拟机的凭据视为应用程序默认凭据。
作为解决方法在此期间,您可以根据 使用适用于服务器到服务器应用程序的OAuth 2.0 。
对于受此问题影响的任何人或解决方法无效的用户,请发布有关上述问题。
I have written an application that uses all the clients/sdks as officially documented.
credentials = GoogleCredentials \
.get_application_default() \
.create_scoped('https://www.googleapis.com/auth/drive')
drive = discovery.build(
'drive',
'v3',
http=self.credentials.authorize(Http())
)
drive.files() \
.get(fileId=file_id) \
.execute()
It works perfect in local with a Service Account generated from the panel, but when I deploy the application, the service account within AppEngine flexible environment runs into problems.
17:15:04.000 /env/lib/python3.4/site-packages/oauth2client/contrib/gce.py:99: UserWarning: You have requested explicit scopes to be used with a GCE service account.
17:15:04.000 Using this argument will have no effect on the actual scopes for tokens
17:15:04.000 requested. These scopes are set at VM instance creation time and
17:15:04.000 can't be overridden in the request.
17:15:04.000
17:15:04.000 warnings.warn(_SCOPES_WARNING)
17:15:04.000 INFO:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/discovery/v1/apis/drive/v3/rest
17:15:04.000 INFO:oauth2client.client:Attempting refresh to obtain initial access_token
17:15:04.000 INFO:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/drive/v3/files/0B0Kn....M1pBNFE?alt=json
17:15:04.000 ERROR:root:Failed to retrieve file 0B0K....M1pBNFE. Is it shared with me? project-id@appspot.gserviceaccount.com
17:15:04.000 Traceback (most recent call last):
17:15:04.000 File "/home/vmagent/app/script.py", line 45, in get
17:15:04.000 .execute()
17:15:04.000 File "/env/lib/python3.4/site-packages/oauth2client/util.py", line 135, in positional_wrapper
17:15:04.000 return wrapped(*args, **kwargs)
17:15:04.000 File "/env/lib/python3.4/site-packages/googleapiclient/http.py", line 760, in execute
17:15:04.000 raise HttpError(resp, content, uri=self.uri)
17:15:04.000 googleapiclient.errors.HttpError: <HttpError 403 when requesting https://www.googleapis.com/drive/v3/files/0B0Kn....M1pBNFE?alt=json returned "Insufficient Permission">
I have checked the permissions and they are all set. The problem is probably due to the "Using this argument will have no effect..." message, that appears when trying to create the scoped credentials.
As you've mentioned in a prior comment, this is a known issue. As described by araf...@google.com, it seems that App Engine instances in the flexible environment assume the credentials of the uderlying GCE VM as the application default credentials.
As a workaround in the meantime, you can use a manually created service account exported as a JSON key stored in your app, as per Using OAuth 2.0 for Server to Server Applications.
For anyone affected by this issue or for whom the workaround is ineffective, please post any relevant information on said issue.
这篇关于Appengine Flex服务帐户访问Drive文件夹的权限不足的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
