[英]How to use impersonate_service_account for streaming beam pipeline
how can I run beam pipeline locally ( DirectRunner
) in streaming
mode using impersonate_service_account credentials?如何使用impersonate_service_account凭据以
streaming
模式在本地 ( DirectRunner
) 运行光束管道? (in python3) (在python3中)
I want to get rid of Service Account key file ( GOOGLE_APPLICATION_CREDENTIALS
environment variable)我想摆脱服务帐户密钥文件(
GOOGLE_APPLICATION_CREDENTIALS
环境变量)
here's minimal code这是最少的代码
options = PipelineOptions()
options.view_as(GoogleCloudOptions).impersonate_service_account = <MY SERVICE ACCOUNT EMAIL>
p = beam.Pipeline(options=options)
source = pubsub.ReadFromPubSub(subscription=SUB,
with_attributes=True,
timestamp_attribute = "evt_time")
where can I set source credentials (my own GCP user account credentials set via gcloud auth application-default login
) i checked source code for PipelineOptions(), ReadFromPubSub() - none seem to have suitable way to inject source credentials.我在哪里可以设置源凭据(我自己的 GCP 用户帐户凭据通过
gcloud auth application-default login
)我检查了 PipelineOptions()、ReadFromPubSub() 的源代码 - 似乎没有合适的方法来注入源凭据。
thank you for advice.谢谢你的建议。
Thank you for your advice?感谢您的意见?
If you just want to avoid exporting a key file, you can use a User
principal and configure your gcloud SDK with gcloud auth application-default login .如果您只想避免导出密钥文件,可以使用
User
主体并使用gcloud auth application-default login配置您的 gcloud SDK。
This command is useful when you are developing code that would normally use a service account but need to run the code in a local development environment where it's easier to provide user credentials.
当您开发通常使用服务帐户但需要在更容易提供用户凭据的本地开发环境中运行代码时,此命令很有用。 The credentials will apply to all API calls that make use of the Application Default Credentials client library.
凭据将应用于所有使用应用程序默认凭据客户端库的 API 调用。 Do not set the GOOGLE_APPLICATION_CREDENTIALS environment variable if you want to use the credentials generated by this command in your local development.
如果您想在本地开发中使用此命令生成的凭据,请不要设置 GOOGLE_APPLICATION_CREDENTIALS 环境变量。
Or if you are trying to create an impersonating chain, you can use comma separated SAs in the impersonate_service_account pipeline option {delegated_principal},{targeted_principal}
.或者,如果您尝试创建模拟链,则可以在 impersonate_service_account 管道选项
{delegated_principal},{targeted_principal}
中使用逗号分隔的 SAs 。 The auth logic that extracts the information is here提取信息的认证逻辑在这里
Unfortunately, not all Google Cloud services support ADC impersonated_service_account
.遗憾的是,并非所有 Google Cloud 服务都支持 ADC
impersonated_service_account
。
If you are not running on a Google Cloud compute service, you will need credentials on the system.如果您未在 Google Cloud 计算服务上运行,则需要系统上的凭据。 Using the CLI gcloud just masks the fact that credentials are still stored on the system.
使用 CLI gcloud 只是掩盖了凭据仍存储在系统上的事实。 The CLI is for developer convenience and not for security.
CLI 是为了方便开发人员而不是为了安全。 You are trying to switch from
GOOGLE_APPLICATION_CREDENTIALS
to another method that requires storing different credentials.您正在尝试从
GOOGLE_APPLICATION_CREDENTIALS
切换到需要存储不同凭据的另一种方法。 That will not improve your security .这不会提高您的安全性。
Even if you used OAuth User credentials and then switched to impersonated credentials (I have written articles on that), you still store credentials and secrets on the local system.即使您使用 OAuth 用户凭据然后切换到模拟凭据(我已经写过文章),您仍然在本地系统上存储凭据和机密。 Basically, you have a chicken and egg situation.
基本上,你有一个先有鸡还是先有蛋的情况。 You need credentials to impersonate other credentials .
您需要凭据来模拟其他凭据。 When running in the cloud, those credentials are managed for you.
在云中运行时,将为您管理这些凭据。 Outside the cloud, you manage the credentials.
在云之外,您管理凭据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.