我在一个旧的谷歌计算引擎上有一个工作的nodejs应用程序。在将应用程序迁移到新的计算引擎之后,我看到了这一行:
const [files] = await storage.bucket(GOOGLE_CLOUD_PROJECT_ID_PUBLIC).getFiles();
下面的例外:
Error: Could not refresh access token: A Not Found error was returned while attempting to retrieve an accesstoken for the Compute Engine built-in service account. This may be because the Compute Engine instance does not have any permission scopes specified: Could not refresh access token:
at Gaxios._request (/smar/backend.smar.shop/node_modules/gaxios/build/src/gaxios.js:129:23)
at processTicksAndRejections (internal/process/task_queues.js:93:5)
at async metadataAccessor (/smar/backend.smar.shop/node_modules/gcp-metadata/build/src/index.js:68:21)
at async Compute.refreshTokenNoCache (/smar/backend.smar.shop/node_modules/google-auth-library/build/src/auth/computeclient.js:53:20)
at async Compute.getRequestMetadataAsync (/smar/backend.smar.shop/node_modules/google-auth-library/build/src/auth/oauth2client.js:261:17)
at async Compute.getRequestHeaders (/smar/backend.smar.shop/node_modules/google-auth-library/build/src/auth/oauth2client.js:238:26)
at async GoogleAuth.authorizeRequest (/smar/backend.smar.shop/node_modules/google-auth-library/build/src/auth/googleauth.js:600:25)
at async Promise.all (index 1)
我猜这里重要的部分是:因为计算引擎实例没有指定的任何权限范围
有人能告诉我这是什么意思,或者我在哪里可以找到这些权限范围?是否需要修改计算引擎的配置?
Scopehttps://www.googleapis.com/auth/cloud-platformaliascloud-platform为虚拟机最不需要的。另一个实例可能使用具有不同角色和/或不同API访问范围的不同服务帐户?
见"在谷歌云平台注册你的应用程序为谷歌云存储JSON API ";这至少是NodeJS客户端文档所建议的。还看到:
- 设置新实例作为服务帐户运行
- 更改实例的服务帐户和访问范围
- 云存储IAM权限