将 JSON 密钥与 google cloud gsutil 结合使用

将 JSON 密钥与 google cloud gsutil 结合使用


我在一个文件中有一个 ssh 私钥key.json,我想使用此凭证通过 gsutil 访问存储桶。

我似乎找不到任何关于如何将 json 密钥作为身份验证方法的信息,只有“私人”和“秘密”字段。

文件结构如下:

{
  "private_key_id":
  "private_key": "-----BEGIN PRIVATE KEY-- ...
   "client_email":
   "client_id":
  "type": "service_account"
}

我如何使用gsutil该文件?

答案1

简而言之,运行以下命令并按照说明进行操作:

gsutil config -e

gsutil 工具内置了帮助,可以查阅各种选项和操作模式。运行 时(单独gsutil help creds运行时建议使用的帮助选项之一)gsutil,我们可以阅读“ ”一节OAuth2 Service Account以查看使用服务帐户的 json 密钥文件的说明:

OAuth2 Service Account:

This is the preferred type of credential to use when authenticating on
behalf of a service or application (as opposed to a user). For example, if
you will run gsutil out of a nightly cron job to upload/download data,
using a service account allows the cron job not to depend on credentials of
an individual employee at your company. This is the type of credential that
will be configured when you run "gsutil config -e".

It is important to note that a service account is considered an Editor by
default for the purposes of API access, rather than an Owner. In particular,
the fact that Editors have OWNER access in the default object and
bucket ACLs, but the canned ACL options remove OWNER access from
Editors, can lead to unexpected results. The solution to this problem is to
ensure the service account is an Owner in the Permissions tab for your
project. To find the email address of your service account, visit the
`Google Developers Console <https://cloud.google.com/console#/project>`_,
click on the project you're using, click "APIs & auth", and click
"Credentials".

To create a service account, visit the Google Developers Console and then:

   - Click "APIs & auth" in the left sidebar.

   - Click "Credentials".

   - Click "Create New Client ID".

   - Select "Service Account" as your application type.

   - Save the JSON private key or the .p12 private key and password
     provided.

For further information about account roles, see:
  https://developers.google.com/console/help/#DifferentRoles

For more details about OAuth2 service accounts, see:
  https://developers.google.com/accounts/docs/OAuth2ServiceAccount

答案2

截至今天,gsutil config -e当您执行时仍然在文档中gsutil help config,但不起作用。gsutil help creds告诉首先执行gcloud auth activate-service-account

所以我做了:

gcloud auth activate-service-account --key-file=mycredentialsialreadyhad.json

已填满~/.config/gcloud/并且gsutil现在可以工作。

来自文档:

OAuth2 服务帐户:这是代表服务或应用程序(而不是用户)进行身份验证时使用的首选凭据类型。(...)。这是运行“gsutil config -e”时将配置的凭据类型。要配置通过 Cloud SDK 安装的服务帐户凭据,请运行“gcloud auth activate-service-account”。

相关内容