对于谷歌云平台存储客户端的身份验证,我不想将服务帐户JSON(您创建的凭据文件(写入磁盘。我想在从所有云实例共享的Hashicorp Vault密钥库加载它们之后,将它们纯粹保存在内存中。有没有一种方法可以直接传递JSON凭据,而不是传递类路径/文件对象?
我理解如何使用类似路径/文件的对象来实现这一点,如下所示,但这正是我想要避免的(由于安全问题,我宁愿永远不要将它们写入磁盘(:
from google.cloud import storage
# set an environment variable that relies on a JSON file
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service_account.json"
# create the client (assumes the environment variable is set)
client = storage.Client()
# alternately, one can create the client without the environment
# variable, but this still relies on a JSON file.
client = storage.Client.from_service_account_json("/path/to/service_account.json")
我试图通过直接引用JSON DATA(JSON_DATA(来解决这个问题,但这会引发错误:TypeError: expected str, bytes or os.PathLike object, not dict
json_data = {....[JSON]....}
client = storage.Client.from_service_account_json(json_data)
此外,转储到JSON,但我得到错误:
with io.open(json_credentials_path, "r", encoding="utf-8") as json_fi:
OSError: [Errno 63] File name too long: '{"type": "service_account", "project_id",......
json_data = {....[JSON]....}
client = storage.Client.from_service_account_json(json.dumps(json_data))
根据@johnhanley的建议,我也尝试过:
from google.cloud import storage
from google.oauth2 import service_account
json_data = {...data loaded from keystore...}
type(json_data)
dict
credentials = service_account.Credentials.from_service_account_info(json_data)
type(credentials)
google.oauth2.service_account.Credentials
client = storage.Client(credentials=credentials)
这导致了DefaultCredentialsError:
raise exceptions.DefaultCredentialsError(_HELP_MESSAGE)
google.auth.exceptions.DefaultCredentialsError: Could not automatically determine credentials. Please set GOOGLE_APPLICATION_CREDENTIALS or explicitly create credentials and re-run the application. For more information, please see https://developers.google.com/accounts/docs/application-default-credentials.
如果你对如何解决这个问题有想法,我很乐意听到!
目前,云存储的客户端库中没有内置的方法来实现这一点。所以这里有两种可能性:
-
正如@JohnHanley所说,使用提供的内置方法[1][2]为云存储客户端创建构造函数。
-
您还可以考虑使用另一种产品,如云功能或应用程序引擎,允许您在服务级别配置身份验证,并避免提供服务帐户凭据。