尝试访问部署在 GKE 中的 Spring 中的 API 时出现 UNAUTHENTICATED 错误
[英]UNAUTHENTICATED error when trying to access API in Spring deployed in GKE
问题描述
I have an API application deployed in Google Kube.netes Engine.
我在 Google Kube.netes Engine 中部署了一个 API 应用程序。 The application is using firestore as its DB.该应用程序使用 firestore 作为其数据库。 When I try to call the API (both from Postman and browser), I got HTTP error 500. This is what it says in the log:当我尝试调用 API(均来自 Postman 和浏览器)时,我收到 HTTP 错误 500。这就是日志中的内容:
io.grpc.StatusRuntimeException: UNAUTHENTICATED: Request had invalid authentication
credentials. Expected OAuth 2 access token, login cookie or other valid
authentication credential. See https://developers.google.com/identity/sign-
in/web/devconsole-project. at io.grpc.Status.asRuntimeException(Status.java:533) ~[grpc-
api-1.30.2.jar!/:1.30.2] at
io.grpc.stub.ClientCalls$StreamObserverToCallListenerAdapter.onClose(ClientCalls.java:460
) ~[grpc-stub-1.30.2.jar!/:1.30.2] at
io.grpc.internal.ClientCallImpl.closeObserver(ClientCallImpl.java:426) ~[grpc-core-
1.30.2.jar!/:1.30.2] at
io.grpc.internal.ClientCallImpl.access$500(ClientCallImpl.java:66) ~[grpc-core-
1.30.2.jar!/:1.30.2] at
io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl.close(ClientCallImpl.java:689) ~
[grpc-core-1.30.2.jar!/:1.30.2] at
io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl.access$900(ClientCallImpl.java:5
77) ~[grpc-core-1.30.2.jar!/:1.30.2] at
io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl$1StreamClosed.runInternal(Client
CallImpl.java:751) ~[grpc-core-1.30.2.jar!/:1.30.2] at
io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl$1StreamClosed.runInContext(Clien
tCallImpl.java:740) ~[grpc-core-1.30.2.jar!/:1.30.2] at
io.grpc.internal.ContextRunnable.run(ContextRunnable.java:37) ~[grpc-core-
1.30.2.jar!/:1.30.2] at
io.grpc.internal.SerializingExecutor.run(SerializingExecutor.java:123) ~[grpc-core-
1.30.2.jar!/:1.30.2] at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
~[na:na] at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
~[na:na] at java.base/java.lang.Thread.run(Thread.java:829) ~[na:na]
This is how roughly my Spring application looks like:这是我的 Spring 应用程序的大致样子:
MainApplication主应用
@SpringBootApplication(scanBasePackages = { "package.name.here" })
@EnableReactiveFirestoreRepositories
public class UserApplication {
public static void main(String[] args) {
SpringApplication.run(UserApplication.class, args);
}
}
RestController休息控制器
@RestController
@RequestMapping("/users")
public class UserAPI {
@Autowired
UserService userService;
@GetMapping("/all")
public Flux<UserService> getAllUsers() {
return userService.findAll();
}
}
UserService用户服务
@Component
public class UserService {
@Autowired
UserRepository userRepository;
public Flux<User> findAll() {
return userRepository.findAll();
}
}
UserRepository用户资料库
public interface UserRepository extends FirestoreReactiveRepository<User> {
Mono<User> findByUsername(String username);
Mono<User> findByEmail(String email);
}
I have configured Postman Authorisation as guided here from the official documentation but it still gives the error above.我已经按照官方文档中的指导配置了Postman 授权,但它仍然给出上述错误。
I'm using my google account, which is the owner of the project when requesting for access token on Postman.我正在使用我的谷歌帐户,在 Postman 上请求访问令牌时,该帐户是项目的所有者。
Could anyone help me with this?谁能帮我解决这个问题?
Thank you in advance.先感谢您。
1 个解决方案
解决方案1
2 2022-02-17 17:35:19
When you run code on Google Cloud Platform, it needs to auth as an identity.当您在 Google Cloud Platform 上运行代码时,它需要作为身份进行身份验证。
It is recommended that you use a Service Account as the identity for software.建议您使用服务帐户作为软件的身份。
The account will need to be configured with suitable IAM permissions.该帐户需要配置适当的 IAM 权限。 For example, to read from Firestore, the Service Account will neeed roles/datastore.viewer .例如,要从 Firestore 读取数据,服务帐户需要roles/datastore.viewer 。
NOTE For historical reasons, Firestore IAM roles include the prefix
datastore.datastore。 This is because Cloud Datastore is one of Google Cloud Platform's original services and its functionality was expanded to include the functionality that Cloud Firestore provides.
In the case of Kube.netes Engine (GKE) , an extra step is needed to expose the (Cloud Platform Service Account) identity so that it is accessible to the Pods in the cluster.在Kube.netes Engine (GKE)的情况下,需要一个额外的步骤来公开(云平台服务帐户)身份,以便集群中的 Pod 可以访问它。
There are 2 ways you can do this:您可以通过两种方式执行此操作:
- Mount GCP Service Account key as a Kube.netes Secret in a Pod.将 GCP 服务帐户密钥挂载为 Pod 中的 Kube.netes Secret。 This approach will work across any Kube.netes distribution.这种方法适用于任何 Kube.netes 发行版。 See Authenticating to Google Cloud with Service Accounts请参阅使用服务帐户向 Google Cloud 进行身份验证
- Google provides a more elegant albeit Google-only solution too that may better serve your needs called Workload Identity . Google 也提供了一个更优雅但仅限于 Google 的解决方案,它可以更好地满足您的需求,称为Workload Identity 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.