[英]Attribute mappings in configuring workload identity federation between GCP and GitHub
[英]AttributeError: 'tuple' object has no attribute 'authorize' - GCP Create Service Account with Workload Identity Federation
我正在嘗試在 GCP 中使用 Python 創建一個服務帳戶。 當我將 env var GOOGLE_APPLICATION_CREDENTIALS 設置為 JSON 憑據文件並使用以下代碼時,這可以正常工作:
GoogleCredentials.get_application_default()
但是,以下代碼在 CI 中失敗 - Github Actions using Workload Identity Federation:
import google
import googleapiclient.discovery
import os
from util import get_service_name
environment = os.getenv('ENVIRONMENT')
def create_service_account(requested_project_id):
project_id = requested_project_id
credentials = google.auth.default()
service = googleapiclient.discovery.build(
'iam', 'v1', credentials=credentials)
service_account_name = f'svc-{get_service_name()}'
service_accounts = service.projects().serviceAccounts().list(
name='projects/' + project_id).execute()
service_account_exists = False
for account in service_accounts['accounts']:
if (service_account_name in account['name']):
service_account_exists = True
service_account = account
break
if (service_account_exists == False):
service_account = service.projects().serviceAccounts().create(
name='projects/' + project_id,
body={
'accountId': service_account_name,
'serviceAccount': {
'displayName': service_account_name
}
}).execute()
print(f'{"Already Exists" if service_account_exists else "Created"} service account: ' + service_account['email'])
return service_account
失敗並出現錯誤:
File "/opt/hostedtoolcache/Python/3.9.0/x64/lib/python3.9/site-packages/googleapiclient/_helpers.py", line 131, in positional_wrapper
return wrapped(*args, **kwargs) File "/opt/hostedtoolcache/Python/3.9.0/x64/lib/python3.9/site-packages/googleapiclient/discovery.py", line 298, in build
service = build_from_document( File "/opt/hostedtoolcache/Python/3.9.0/x64/lib/python3.9/site-packages/googleapiclient/_helpers.py", line 131, in positional_wrapper
return wrapped(*args, **kwargs) File "/opt/hostedtoolcache/Python/3.9.0/x64/lib/python3.9/site-packages/googleapiclient/discovery.py", line 600, in build_from_document
http = _auth.authorized_http(credentials) File "/opt/hostedtoolcache/Python/3.9.0/x64/lib/python3.9/site-packages/googleapiclient/_auth.py", line 119, in authorized_http
return credentials.authorize(build_http()) AttributeError: 'tuple' object has no attribute 'authorize'
我正在使用以下 Github 操作向 Google 進行身份驗證
- name: Authenticate to Google Cloud To Create Service Account
uses: google-github-actions/auth@v0.4.3
with:
workload_identity_provider: 'projects/xxx/locations/global/workloadIdentityPools/github-actions-identity-pool/providers/github-provider'
service_account: 'svc-iam-creator-dev@acme-dev-tooling.iam.gserviceaccount.com'
任何人都可以幫忙嗎?
你有兩個問題。 這行代碼失敗了:
credentials = google.auth.default()
問題 1 - 生成 Google OAuth 訪問令牌
將 GitHub 操作步驟更改為:
- name: Authenticate to Google Cloud To Create Service Account
uses: google-github-actions/auth@v0.4.3
with:
token_format: 'access_token' # Your python code needs an access token
access_token_lifetime: '300s' # make this value small but long enough to complete the job
workload_identity_provider: 'projects/xxx/locations/global/workloadIdentityPools/github-actions-identity-pool/providers/github-provider'
service_account: 'svc-iam-creator-dev@acme-dev-tooling.iam.gserviceaccount.com'
問題 2 - 創建憑證
此行將不起作用,因為 ADC(應用程序默認憑據)不提供憑據。
credentials = google.auth.default()
將 Workload Identity Federation 生成的訪問令牌從 GitHub 操作 output 傳遞到您的程序:
${{ steps.auth.outputs.access_token }}
從訪問令牌創建憑據:
credentials = google.oauth2.credentials.Credentials(access_token)
service = googleapiclient.discovery.build('iam', 'v1', credentials=credentials)
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.