[英]How to signed url for Google cloud storage on Google App Engine Standard environment with Python3.7?
I can't find a way to have a working signed url on Google App Engine Standard environment with Python3.7.我找不到使用 Python3.7 在 Google App Engine 标准环境中使用签名网址的方法。
I have look at the documentation here : https://cloud.google.com/storage/docs/access-control/signing-urls-manually我在这里查看文档: https : //cloud.google.com/storage/docs/access-control/signing-urls-manually
Within a Google App Engine application, you can use the App Engine App Identity service to sign your string.
在 Google App Engine 应用程序中,您可以使用App Engine App Identity服务来签署您的字符串。
But the App Engine App Identity rely on google.appengine
package, that is not availalble on python 3.7 env as explain here但是 App Engine App Identity 依赖于
google.appengine
包,这在 python 3.7 env 上不可用,如解释here
Proprietary App Engine APIs are not available in Python 3. This section lists recommended replacements.
专有 App Engine API 在 Python 3 中不可用。本节列出了推荐的替代品。
The overall goal is that your app should be fully portable and run in any standard Python environment.
总体目标是您的应用程序应该是完全可移植的,并且可以在任何标准 Python 环境中运行。 You write a standard Python app, not an App Engine Python app.
您编写的是标准 Python 应用程序,而不是 App Engine Python 应用程序。 As part of this shift, you are no longer required to use proprietary App Engine APIs and services for your app's core functionality.
作为这一转变的一部分,您不再需要为应用的核心功能使用专有的 App Engine API 和服务。 At this time, App Engine APIs are not available in the Python 3.7 runtime.
目前,App Engine API 在 Python 3.7 运行时中不可用。
All the api on sdk rely on google.appengine
and raise an exception on python 3.7 env : EnvironmentError('The App Engine APIs are not available.')
raise here that rely on proprietary api : sdk 上的所有 api 都依赖于
google.appengine
并在 python 3.7 env 上引发异常: EnvironmentError('The App Engine APIs are not available.')
在此处引发依赖专有 api 的异常:
try:
from google.appengine.api import app_identity
except ImportError:
app_identity = None
I know I can use many solution like ServiceAccountCredentials.from_json_keyfile_dict(service_account_dict)
but I have to upload a file with credentials directly on app engine and I can't do it since the project credential will be expose on git or ci.我知道我可以使用许多解决方案,例如
ServiceAccountCredentials.from_json_keyfile_dict(service_account_dict)
但我必须直接在应用引擎上上传带有凭据的文件,我不能这样做,因为项目凭据将在 git 或 ci 上公开。
I really want to rely on default credential from app engine like other Google Cloud api like storage.Client()
for example that work out of box.我真的很想依赖来自应用引擎的默认凭据,比如其他 Google Cloud api,比如
storage.Client()
,例如开箱即用。
Any suggestion ?有什么建议吗?
For Python interactions with Google Cloud use Python Client that is supported on App Engine standard Python 3 runtime. 对于Python与Google Cloud的交互,请使用App Engine标准Python 3运行时支持的Python客户端 。
To access Cloud Storage using google-cloud-storage from App Engine Standard: 要使用App Engine Standard中的google-cloud-storage访问云存储:
storage.Client()
only. storage.Client()
身份验证。 Depending on what you need to achieve, I would also suggest trying different possible approaches: 根据您需要实现的目标,我还建议您尝试不同的方法:
It is also possible to sign blobs with appengine api using: 也可以使用appengine api对blob进行签名 :
google.appengine.api.app_identity.sign_blob()
This question might be old, but it's one the first ones to show on a Google search, so I thought it might help someone who comes looking in the future to post this here as well.这个问题可能很老,但它是第一个在 Google 搜索中显示的问题,所以我认为它可能会帮助将来寻找的人也在这里发布这个问题。
The answer @guillaume-blaquiere posted here does work, but it requires an additional step not mentioned, which is to add the Service Account Token Creator
role in IAM to your default service account , which will allow said default service account to "Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc)."此处发布的答案@guillaume-blaquiere确实有效,但它需要一个未提及的额外步骤,即将 IAM 中的
Service Account Token Creator
角色添加到您的默认服务帐户,这将允许所述默认服务帐户“模拟服务帐户” (创建 OAuth2 访问令牌、签署 blob 或 JWT 等)。”
This allows the default service account to sign blobs, as per the signBlob documentation .这允许默认服务帐户根据signBlob 文档对 blob 进行签名。
I tried it on AppEngine and it worked perfectly once that permission was given.我在 AppEngine 上尝试过,一旦获得许可,它就可以完美运行。
import datetime as dt
from google import auth
from google.cloud import storage
# SCOPES = [
# "https://www.googleapis.com/auth/devstorage.read_only",
# "https://www.googleapis.com/auth/iam"
# ]
credentials, project = auth.default(
# scopes=SCOPES
)
credentials.refresh(auth.transport.requests.Request())
expiration_timedelta = dt.timedelta(days=1)
storage_client = storage.Client(credentials=credentials)
bucket = storage_client.get_bucket("bucket_name")
blob = bucket.get_blob("blob_name")
signed_url = blob.generate_signed_url(
expiration=expiration_timedelta,
service_account_email=credentials.service_account_email,
access_token=credentials.token,
)
I downloaded a key for the AppEngine default service account to test locally, and in order to make it work properly outside of the AppEngine environment, I had to add the proper scopes to the credentials, as per the commented lines setting the SCOPES
.我下载了 AppEngine默认服务帐户的密钥以进行本地测试,为了使其在 AppEngine 环境之外正常工作,我必须根据设置
SCOPES
的注释行向凭据添加适当的范围。 You can ignore them if running only in AppEngine itself.如果仅在 AppEngine 本身中运行,您可以忽略它们。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.