[英]GCloud App Engine (flexible) Default Service Account Scope
我正在尝试使用默认服务帐户从 GCP App Engine 灵活环境中运行的服务连接到谷歌日历。 我已经设置了正确的 scope 访问日历所需的只读事件( https://www.googleapis.com/auth/calendar.events.readonly
)并且我能够在模拟服务帐户时在本地访问日历。
我的服务在 java spring 启动时运行并出现以下错误
{
"message": "Request had insufficient authentication scopes.",
"status": "PERMISSION_DENIED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT",
"domain": "googleapis.com",
"metadata": {
"service": "calendar-json.googleapis.com",
"method": "calendar.v3.Events.List"
}
}
}
val scopes = listOf("https://www.googleapis.com/auth/calendar.events.readonly")
val credentialsProvider = GoogleCredentialsProvider.newBuilder().setScopesToApply(scopes).build()
val calendarService = Calendar.Builder(GoogleNetHttpTransport.newTrustedTransport(),
GsonFactory.getDefaultInstance(),
HttpCredentialsAdapter(credentialsProvider.credentials))
.setApplicationName(applicationName)
.build()
calendarService.events().list(config.calendarId)
.setSingleEvents(true)
.setTimeMin(DateTime(Date()))
.setMaxResults(4)
.execute()
依赖项
我直接访问了应用程序实例上的元数据端点以检查提供的令牌。 只找出给定的令牌没有指定的日历 scope。
$ curl -s "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar.events.readonly" -H 'Metadata-Flavor: Google'
{"access_token":"ya29.xxxxxx....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................","expires_in":3518,"token_type":"Bearer"}
$ curl -H "Content-Type: application/x-www-form-urlencoded" -d "access_token=$token" https://www.googleapis.com/oauth2/v1/tokeninfo
{
"issued_to": "xxxxxxx",
"audience": "xxxxxxx",
"scope": "https://www.googleapis.com/auth/logging.write https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/devstorage.full_control https://www.googleapis.com/auth/appengine.apis",
"expires_in": 3493,
"email": "<project-id>@appspot.gserviceaccount.com",
"verified_email": true,
"access_type": "online"
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.