我想创建一个到存储桶的预签名上传 URL,并希望避免显式引用 json 密钥。
目前,我正在尝试使用默认 App Engine 服务帐户来执行此操作
我正在尝试跟随这个答案 https://stackoverflow.com/a/64245028/7385884但我收到此错误:
AttributeError:您需要私钥来签署凭据。
您当前使用的凭据 仅包含
令牌。看https://googleapis.dev/python/google-api-core/latest/auth.html#setting-up-a-service-account https://googleapis.dev/python/google-api-core/latest/auth.html#setting-up-a-service-account更多细节。
我的云函数代码如下所示:
from google.cloud import storage
import datetime
import google.auth
def generate_upload_url(blob_name, additional_metadata: dict = {}):
credentials, project_id = google.auth.default()
# Perform a refresh request to get the access token of the current credentials (Else, it's None)
from google.auth.transport import requests
r = requests.Request()
credentials.refresh(r)
client = storage.Client()
bucket = client.get_bucket("my_bucket")
blob = bucket.blob(blob_name)
service_account_email = credentials.service_account_email
print(f"attempting to create signed url for {service_account_email}")
url = blob.generate_signed_url(
version="v4",
service_account_email=service_account_email,
access_token=credentials.token,
# This URL is valid for 120 minutes
expiration=datetime.timedelta(minutes=120),
# Allow PUT requests using this URL.
method="PUT",
content_type="application/octet-stream",
)
return url
def get_upload_url(request):
blob_name = get_param(request, "blob_name")
url = generate_upload_url(blob_name)
return url
当您使用签名 URL 的 v4 版本时,该方法的第一行 https://github.com/googleapis/python-storage/blob/9d5bb5622f17a0143fa6670406596e53d0068286/google/cloud/storage/_signing.py#L536 calls ensure_signed_credentials
检查当前服务帐户是否可以在独立模式下生成签名(因此使用私钥)的方法。所以,这打破了当前的行为。
在函数的注释中,清楚地描述了需要服务帐户JSON文件
If you are on Google Compute Engine, you can't generate a signed URL.
Follow `Issue 922`_ for updates on this. If you'd like to be able to
generate a signed URL from GCE, you can use a standard service account
from a JSON file rather than a GCE service account.
因此,请使用 v2 版本。
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)