GCP:允许服务帐户模拟具有 Google Analytics 范围的用户帐户
[英]GCP: Allow Service Account to Impersonate a User Account with Google Analytics Scopes
原文
2022-11-17 17:23:24
7
1
python/
google-analytics-api/
google-workspace/
google-api-python-client/
service-accounts
问题描述
我正在尝试创建一个脚本,使服务帐户ga@googleanalytics.iam.gserviceaccount.com能够模拟具有以下 GA 范围的用户帐户ga@domain.tld :
target_scopes = ['https://www.googleapis.com/auth/analytics',
'https://www.googleapis.com/auth/analytics.edit',
'https://www.googleapis.com/auth/analytics.manage.users',
'https://www.googleapis.com/auth/analytics.provision',
'https://www.googleapis.com/auth/analytics.user.deletion']
因此,它可以将属性添加到用户帐户 (ga@domain.tld) 之前已获得访问权限的其他 GA 帐户。
这是我编写的包含模拟的代码:
from google.auth import impersonated_credentials
from google.oauth2 import service_account
target_scopes = ['https://www.googleapis.com/auth/analytics','https://www.googleapis.com/auth/analytics.edit','https://www.googleapis.com/auth/analytics.manage.users','https://www.googleapis.com/auth/analytics.provision','https://www.googleapis.com/auth/analytics.user.deletion']
source_credentials = service_account.Credentials.from_service_account_file(
'ga-1234567890.json',
scopes=target_scopes)
target_credentials = impersonated_credentials.Credentials(
source_credentials=source_credentials,
target_principal='ga@domain.tld',
target_scopes=target_scopes,
lifetime=500)
client = AnalyticsAdminServiceClient(credentials=target_credentials)
哪个返回异常:
>Oops! <class 'google.api_core.exceptions.ServiceUnavailable'> occurred.
grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.UNAVAILABLE
details = "Getting metadata from plugin failed with error: ('Unable to acquire impersonated credentials', '{\n "error": {\n"code": 404,\n"message": "Not found; Gaia id not found for email ga@domain.tld",\n
"status": "NOT_FOUND"\n }\n}\n')"
debug_error_string = "UNKNOWN:Error received from peer analyticsadmin.googleapis.com:443 {created_time:"2022-11-17T15:28:49.7504959+00:00", grpc_status:14, grpc_message:"Getting metadata from plugin failed with error: (\'Unable to acquire impersonated credentials\', \'{\\n \"error\": {\\n\"code\": 404,\\n\"message\": \"Not found; Gaia id not found for email ga@domain.tld\",\\n\"status\": \"NOT_FOUND\"\\n }\\n}\\n\')"}"
当我尝试在没有模拟的情况下运行以下代码时:
from google.auth import impersonated_credentials
from google.oauth2 import service_account
target_scopes = ['https://www.googleapis.com/auth/analytics','https://www.googleapis.com/auth/analytics.edit','https://www.googleapis.com/auth/analytics.manage.users','https://www.googleapis.com/auth/analytics.provision','https://www.googleapis.com/auth/analytics.user.deletion']
source_credentials = service_account.Credentials.from_service_account_file(
'ga-1234567890.json',
scopes=target_scopes)
client = AnalyticsAdminServiceClient(credentials=source_credentials)
它返回异常:
哎呀。 <class 'google.api_core.exceptions.Unauthenticated'> 发生了。 grpc._channel:_InactiveRpcError: <_InactiveRpcError of RPC 终止于:
状态 = StatusCode.UNAVAILABLE
details = "从插件中获取元数据失败,出现错误:('无法获取模拟凭据', '{\n "error": {\n"code": 404,\n"message": "Not found; Gaia id not找到 email ga@domain.tld",\n
“状态”:“NOT_FOUND”\n }\n}\n')”
debug_error_string = "UNKNOWN:Error received from peer analyticsadmin.googleapis.com:443 {created_time:"2022-11-17T15:28:49.7504959+00:00", grpc_status:14, grpc_message:"从插件获取元数据失败,错误: ('无法获取模拟凭据', '{\n "error": {\n"code": 404,\n"message": "Not found; Gaia id not found for email ga@domain.tld",\ n"status": "NOT_FOUND"\n }\n}\n')"}"
服务帐户ga@googleanalytics.iam.gserviceaccount.com的主体ga@domain.tld具有角色Service Account Token Creator和Service Account User
服务帐户ga@googleanalytics.iam.gserviceaccount.com在 Google Workspace 管理员中配置了具有范围的域范围委派
https://www.googleapis.com/auth/analytics https://www.googleapis.com/auth/analytics.edit https://www.googleapis.com/auth/analytics.manage.users https://www .googleapis.com/auth/analytics.provision https://www.googleapis.com/auth/analytics.user.deletion
不确定我在这里遗漏了什么,任何建议将不胜感激。
1 个解决方案
解决方案1
1 2022-11-17 19:41:08
假设您通过您的谷歌工作区配置了域范围内对服务帐户的委派。 并将其配置为有权访问谷歌分析帐户的用户。
用于委托给其他 api 的相同代码也应该有效。
credentials = service_account.Credentials.from_service_account_file('my_json.json', scopes=['https://www.googleapis.com/auth/adwords'])
delegated_credentials = credentials.with_subject("user@yourdomain.com")
client = AnalyticsAdminServiceClient(credentials=delegated_credentials)
现在看你的错误信息,我想知道系统是否支持它。
我要发送一个 email 给团队,在我们开始追逐之前让我们检查是否支持委派。
通过Google App Engine上的Google Drive服务帐户访问来模拟用户
[英]Google Drive Service Account Access on Google App Engine to Impersonate Users
AppEngine上的AppAssertionCredentials:如何模拟用户帐户?
[英]AppAssertionCredentials on AppEngine: how to impersonate user account?
GCP 使用 gcloud auth(不是服务帐户)以最终用户身份进行身份验证
[英]GCP Authenticate as End User using gcloud auth (not service account)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.