stackoom
  简体   繁体   中英

How gcloud manages to work with svcacc only API?

 原文  2020-05-27 08:21:07       google-cloud-platform/ gcloud/ google-speech-to-text-api

Question

I'm trying to understand how gcloud manages to work with APIs that require service account to access them, eg accessing Speech API using your user (not svcacc) credentials will result in "403 Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the speech.googleapis.com".

However when I run gcloud ml speech recognize gs://cloud-samples-tests/speech/brooklyn.flac --language-code=en-US it works just fine even-though I didn't set any dedidcated svcacc keys as described in the quick start [1], and even disabled all service accounts in the project just to be sure.

So again,

  • gcloud ml speech recognize gs://cloud-samples-tests/speech/brooklyn.flac --language-code=en-US - works
  • curl -s -H "Content-Type: application/json" -H "Authorization: Bearer "$(gcloud auth application-default print-access-token) https://speech.googleapis.com/v1/speech:recognize -d @sync-request.json as per [2] fails with 403 error above

Question: how gcloud manages to work without me providing it with a dedicated service account?

[1] https://cloud.google.com/speech-to-text/docs/quickstart-gcloud

1 answers

solution1
 1  2020-05-27 15:44:54

Google credentials are provided by two types of account: service accounts and regular (human?) accounts (eg @gmail.com , @your.email ). The types of tokens issued for these accounts differ but they both authenticate to services.

When you use gcloud you're often using human accounts that you have previously authenticated using gcloud auth login and may be shown with gcloud auth list .

In this case, you're also using these gcloud human credentials with curl because you acquire an access token using gcloud auth print-access-token . Your two examples effectively authenticated using the same (probably human) account.

When you want to have one service authenticate to another, it is recommended that you use service accounts. There's no human in the process to support OAuth's three-legged auth and so service accounts use two-legged auth (see link ).

Generally with Cloud Platform services, credentials must also have IAM roles that describe permissions that authorize their use, but some Cloud Platform services (IIRC ML) do not (yet) implement IAM and so authorization is achieved solely using OAuth scopes and you can use vanilla service accounts that have no specific IAM bindings assigned.

NOTE it is possible to authenticate gcloud with service accounts too gcloud auth activate-service-account but IIRC this approach is being discouraged.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Golang and gcloud API: how to get an auth token How to use gcloud Python API locally gcloud-java pubsub API : how to set “Return Immediately” flag How to get only the "project name" from GCP using gcloud command? How do I make gcloud work on opensuse 13.2 in Google Cloud? How to work on different gcloud (google cloud) projects easily How to get shell script to work on gcloud CLI in PowerShell? How to troubleshoot enabling API services in GCP using gcloud How Google cloud platform manages timezones? How to resolve GCloud permissions?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM