GCloud App Engine（灵活）默认服务帐户 Scope

Question

我正在尝试使用默认服务帐户从 GCP App Engine 灵活环境中运行的服务连接到谷歌日历。 我已经设置了正确的 scope 访问日历所需的只读事件（ https://www.googleapis.com/auth/calendar.events.readonly ）并且我能够在模拟服务帐户时在本地访问日历。

我的服务在 java spring 启动时运行并出现以下错误

{
  "message": "Request had insufficient authentication scopes.",
  "status": "PERMISSION_DENIED",
  "details": [
  {
    "@type": "type.googleapis.com/google.rpc.ErrorInfo",
    "reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT",
    "domain": "googleapis.com",
    "metadata": {
      "service": "calendar-json.googleapis.com",
      "method": "calendar.v3.Events.List"
    }
  }
}

代码片段

val scopes = listOf("https://www.googleapis.com/auth/calendar.events.readonly")
val credentialsProvider = GoogleCredentialsProvider.newBuilder().setScopesToApply(scopes).build()

val calendarService = Calendar.Builder(GoogleNetHttpTransport.newTrustedTransport(),
                                GsonFactory.getDefaultInstance(),
                                HttpCredentialsAdapter(credentialsProvider.credentials))
            .setApplicationName(applicationName)
            .build()

calendarService.events().list(config.calendarId)
            .setSingleEvents(true)
            .setTimeMin(DateTime(Date()))
            .setMaxResults(4)
            .execute()

依赖项

com.google.cloud:spring-cloud-gcp-dependencies:3.1.0
org.springframework.cloud:spring-cloud-dependencies:2021.0.1
com.google.cloud:spring-cloud-gcp-starter
com.google.auth:google-auth-library-appengine
com.google.appengine:appengine-api-1.0-sdk
com.google.apis:google-api-services-calendar:v3-rev411-1.25.0

我试过的

我直接访问了应用程序实例上的元数据端点以检查提供的令牌。 只找出给定的令牌没有指定的日历 scope。

$ curl -s "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar.events.readonly" -H 'Metadata-Flavor: Google'
{"access_token":"ya29.xxxxxx....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................","expires_in":3518,"token_type":"Bearer"}

$ curl -H "Content-Type: application/x-www-form-urlencoded" -d "access_token=$token" https://www.googleapis.com/oauth2/v1/tokeninfo
{
  "issued_to": "xxxxxxx",
  "audience": "xxxxxxx",
  "scope": "https://www.googleapis.com/auth/logging.write https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/devstorage.full_control https://www.googleapis.com/auth/appengine.apis",
  "expires_in": 3493,
  "email": "<project-id>@appspot.gserviceaccount.com",
  "verified_email": true,
  "access_type": "online"
}

Answer 1

Google Compute Engine 实例可以拥有受访问范围限制的服务帐户的权限。

您列出的范围是默认访问范围链接。 这意味着您添加的范围会被 VM 实例设置过滤掉。

在 Google Cloud Console GUI 中，将 VM 实例的访问范围更改为Allow full access to all Cloud APIs 。 您也可以使用 CLI 链接。

GCloud App Engine（灵活）默认服务帐户 Scope

问题描述

代码片段

我试过的

1 个解决方案

解决方案1
0 2022-03-24 06:18:01

GCloud App Engine（灵活）默认服务帐户 Scope

问题描述

代码片段

我试过的

1 个解决方案

解决方案1 0 2022-03-24 06:18:01

解决方案1
0 2022-03-24 06:18:01