[英]UNAUTHENTICATED error when trying to access API in Spring deployed in GKE
I have an API application deployed in Google Kube.netes Engine.我在 Google Kube.netes Engine 中部署了一个 API 应用程序。 The application is using firestore as its DB.该应用程序使用 firestore 作为其数据库。 When I try to call the API (both from Postman and browser), I got HTTP error 500. This is what it says in the log:当我尝试调用 API(均来自 Postman 和浏览器)时,我收到 HTTP 错误 500。这就是日志中的内容:
io.grpc.StatusRuntimeException: UNAUTHENTICATED: Request had invalid authentication
credentials. Expected OAuth 2 access token, login cookie or other valid
authentication credential. See https://developers.google.com/identity/sign-
in/web/devconsole-project. at io.grpc.Status.asRuntimeException(Status.java:533) ~[grpc-
api-1.30.2.jar!/:1.30.2] at
io.grpc.stub.ClientCalls$StreamObserverToCallListenerAdapter.onClose(ClientCalls.java:460
) ~[grpc-stub-1.30.2.jar!/:1.30.2] at
io.grpc.internal.ClientCallImpl.closeObserver(ClientCallImpl.java:426) ~[grpc-core-
1.30.2.jar!/:1.30.2] at
io.grpc.internal.ClientCallImpl.access$500(ClientCallImpl.java:66) ~[grpc-core-
1.30.2.jar!/:1.30.2] at
io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl.close(ClientCallImpl.java:689) ~
[grpc-core-1.30.2.jar!/:1.30.2] at
io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl.access$900(ClientCallImpl.java:5
77) ~[grpc-core-1.30.2.jar!/:1.30.2] at
io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl$1StreamClosed.runInternal(Client
CallImpl.java:751) ~[grpc-core-1.30.2.jar!/:1.30.2] at
io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl$1StreamClosed.runInContext(Clien
tCallImpl.java:740) ~[grpc-core-1.30.2.jar!/:1.30.2] at
io.grpc.internal.ContextRunnable.run(ContextRunnable.java:37) ~[grpc-core-
1.30.2.jar!/:1.30.2] at
io.grpc.internal.SerializingExecutor.run(SerializingExecutor.java:123) ~[grpc-core-
1.30.2.jar!/:1.30.2] at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
~[na:na] at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
~[na:na] at java.base/java.lang.Thread.run(Thread.java:829) ~[na:na]
This is how roughly my Spring application looks like:这是我的 Spring 应用程序的大致样子:
@SpringBootApplication(scanBasePackages = { "package.name.here" })
@EnableReactiveFirestoreRepositories
public class UserApplication {
public static void main(String[] args) {
SpringApplication.run(UserApplication.class, args);
}
}
@RestController
@RequestMapping("/users")
public class UserAPI {
@Autowired
UserService userService;
@GetMapping("/all")
public Flux<UserService> getAllUsers() {
return userService.findAll();
}
}
@Component
public class UserService {
@Autowired
UserRepository userRepository;
public Flux<User> findAll() {
return userRepository.findAll();
}
}
public interface UserRepository extends FirestoreReactiveRepository<User> {
Mono<User> findByUsername(String username);
Mono<User> findByEmail(String email);
}
I have configured Postman Authorisation as guided here from the official documentation but it still gives the error above.我已经按照官方文档中的指导配置了Postman 授权,但它仍然给出上述错误。
I'm using my google account, which is the owner of the project when requesting for access token on Postman.我正在使用我的谷歌帐户,在 Postman 上请求访问令牌时,该帐户是项目的所有者。
Could anyone help me with this?谁能帮我解决这个问题?
Thank you in advance.先感谢您。
When you run code on Google Cloud Platform, it needs to auth as an identity.当您在 Google Cloud Platform 上运行代码时,它需要作为身份进行身份验证。
It is recommended that you use a Service Account as the identity for software.建议您使用服务帐户作为软件的身份。
The account will need to be configured with suitable IAM permissions.该帐户需要配置适当的 IAM 权限。 For example, to read from Firestore, the Service Account will neeed roles/datastore.viewer
.例如,要从 Firestore 读取数据,服务帐户需要roles/datastore.viewer
。
NOTE For historical reasons, Firestore IAM roles include the prefix
datastore
.注意由于历史原因,Firestore IAM 角色包含前缀datastore
。 This is because Cloud Datastore is one of Google Cloud Platform's original services and its functionality was expanded to include the functionality that Cloud Firestore provides.这是因为Cloud Datastore是 Google Cloud Platform 的原始服务之一,其功能已扩展为包含Cloud Firestore提供的功能。
In the case of Kube.netes Engine (GKE) , an extra step is needed to expose the (Cloud Platform Service Account) identity so that it is accessible to the Pods in the cluster.在Kube.netes Engine (GKE)的情况下,需要一个额外的步骤来公开(云平台服务帐户)身份,以便集群中的 Pod 可以访问它。
There are 2 ways you can do this:您可以通过两种方式执行此操作:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.