[英]“insufficient authentication scopes” from Google API when calling from K8S cluster
I'm trying to report Node.js errors to Google Error Reporting, from one of our kubernetes deployments running on a GCP/GKE cluster with RBAC. 我正在尝试通过在带有RBAC的GCP / GKE集群上运行的我们的kubernetes部署之一将Node.js错误报告给Google Error Reporting。 (ie permissions defined in a service account associated to the cluster)
(即,在与群集关联的服务帐户中定义的权限)
const googleCloud = require('@google-cloud/error-reporting');
const googleCloudErrorReporting = new googleCloud.ErrorReporting();
googleCloudErrorReporting.report('[test] dummy error message');
This works only in certain environments: 这仅在某些环境中有效:
ERROR:@google-cloud/error-reporting: Encountered an error while attempting to transmit an error to the Stackdriver Error Reporting API.
ERROR:@ google-cloud / error-reporting:尝试将错误传输到Stackdriver Error Reporting API时遇到错误。
Error: Request had insufficient authentication scopes.
错误:请求的身份验证范围不足。
It feels like the job did pick up the permission changes of the cluster's service account, whereas my deployment did not. 感觉这项工作确实获得了群集服务帐户的权限更改,而我的部署却没有。
I did try to re-create the deployment to make it refresh its auth token, but the error is still happening... 我确实尝试过重新创建部署以使其刷新其身份验证令牌,但该错误仍在发生...
Any ideas? 有任何想法吗?
UPDATE : I ended up following Jérémie Girault's suggestion : create a service account and bind it to my deployment.
更新 :我最终遵循JérémieGirault的建议 :创建一个服务帐户并将其绑定到我的部署中。 It works!
有用!
The error message has to do with the access scopes set on the cluster when using the default service account. 错误消息与使用默认服务帐户时在群集上设置的访问范围有关。 You must enable access to the appropriate API.
您必须启用对相应API的访问。
As you mentioned, creating a separate service account, providing it the appropriate IAM permissions and linking it to your cluster or workload will bypass this error as well. 如您所述,创建一个单独的服务帐户,为其提供适当的IAM权限并将其链接到您的群集或工作负载,也将绕过此错误。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.