我正在做一个托管在谷歌云平台上的项目,我正试图习惯他们的gcloudcli。有一件事我真的不明白,那就是它的认证方案。
作为一个例子,如果我运行gcloud config configurations list,我得到所有配置的列表:
PS C:Usersusernamedevproject-library> gcloud config configurations list
NAME IS_ACTIVE ACCOUNT PROJECT COMPUTE_DEFAULT_ZONE COMPUTE_DEFAULT_REGION
default True username@domain.com project-dev-gcp
project-dev-local False project-dev-gcp
同样,如果我运行gcloud auth list,它会显示我使用的认证帐户:
PS C:Usersusernamedevproject-library> gcloud auth list
Credentialed Accounts
ACTIVE ACCOUNT
* username@domain.com
To set the active account, run:
$ gcloud config set account `ACCOUNT`
但是如果我尝试运行gcloud projects list,我不会得到我的GCP项目列表。相反,我看到一个错误,表明我没有经过身份验证:
PS C:Usersusernamedevproject-library> gcloud projects list
ERROR: (gcloud.projects.list) UNAUTHENTICATED: Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
好的,那么如果我尝试使用gcloud auth application-default login进行身份验证呢?
PS C:Usersusernamedevproject-library> gcloud auth application-default login
Your browser has been opened to visit:
https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=xxxx
Credentials saved to file: [C:UsersusernameAppDataRoaminggcloudapplication_default_credentials.json]
These credentials will be used by any library that requests Application Default Credentials (ADC).
ERROR: (gcloud.auth.application-default.login) UNAUTHENTICATED: Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
又出现了UNAUTHENTICATED错误,尽管我的浏览器打开了登录页面,我选择了我的Google帐户,然后在提示时授予访问Google Auth库的权限。
奇怪的是我实际上有一个访问令牌:PS C:Usersusernamedevproject-library> gcloud auth print-access-token
ya29.a0AfH6SMCGhGKSd39hJxfCBBNIDPGvpGjjskAKNDyH24C9TU0tG8P-FH_YL3OBJOZiqFXD4hKbVGCSNpfuwqOhB2p7uaBI_PtMuQO_Ip2fiMYHbHeLzyKKrnthFV4MqCNM_P80uQrTFy9LvvFm-kpcYFFFmh4Sam2Uoq3wsPW8m9febwFX2-4
最终,我想做的是获得kubernetes配置,以便我可以使用kubectl与集群交互,但当然gcloud container clusters get-credentials告诉我,我没有经过身份验证:
PS C:Usersusernamedevproject-library> gcloud container clusters get-credentials project-dev --region us-east4 --project project-dev-gcp
Fetching cluster endpoint and auth data.
ERROR: (gcloud.container.clusters.get-credentials) ResponseError: code=401, message=Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
怎么了?为什么我似乎不能用gcloud做任何事情?导致UNAUTHENTICATED错误的原因是什么?如何修复它?
我非常熟悉awscli身份验证方案,但是我很难理解gcloud做事情的方式。即使cli不工作,我似乎有完整的控制台访问权限,我知道这个东西确实在工作,因为我过去使用k9s访问过kubernetes集群日志。
找到问题了。似乎我在C:UsersusernameAppDataRoaminggcloudconfigurationsconfig_default的[default]配置文件包含一些导致问题的坏配置值:
[core]
account = username@domain.com
project = project-dev-gcp
[compute]
[auth]
disable_credentials = true
[spanner]
instance = project-local
[api_endpoint_overrides]
spanner = http://localhost:9020/
OP中的未经验证的问题是由disable_credentials = true引起的,如果我试图通过CLI与Google Cloud Spanner交互,[api_endpoint_overrides]部分的内容会导致类似的问题。
现在,这个配置文件在某些上下文中确实是有意义的。我们为本地测试保留了另一个gcloud配置,在这种情况下,我们实际上做想要禁用验证并在运行在docker容器中的模拟器上指向Cloud Spanner调用。显然,在用于与真正的GCP对话的[default]配置文件中不应该出现这种情况。
解决方案是从该文件中删除违规配置,使其看起来像:
[core]
account = username@domain.com
project = project-dev-gcp
我使用
修复了这个问题gcloud config set auth/disable_credentials false
disable_credentials设置为true以在本地运行发布-订阅模拟器或扳手。这导致在获取容器集群信用时失败。在我将上面的属性设置为false之后,它能够实时调用GCP以获取信用。
gcloud config set auth/disable_credentials false