AttributeError: 'tuple' object 沒有屬性 'authorize' - GCP 使用 Workload Identity Federation 創建服務帳戶

Question

我正在嘗試在 GCP 中使用 Python 創建一個服務帳戶。 當我將 env var GOOGLE_APPLICATION_CREDENTIALS 設置為 JSON 憑據文件並使用以下代碼時，這可以正常工作：

GoogleCredentials.get_application_default()

但是，以下代碼在 CI 中失敗 - Github Actions using Workload Identity Federation：

import google
import googleapiclient.discovery
import os
from util import get_service_name

environment = os.getenv('ENVIRONMENT')

def create_service_account(requested_project_id):
    project_id = requested_project_id
    credentials = google.auth.default()

    service = googleapiclient.discovery.build(
        'iam', 'v1', credentials=credentials)

    service_account_name = f'svc-{get_service_name()}'

    service_accounts = service.projects().serviceAccounts().list(
        name='projects/' + project_id).execute()

    service_account_exists = False

    for account in service_accounts['accounts']:
        if (service_account_name in account['name']):
            service_account_exists = True
            service_account = account
            break

    if (service_account_exists == False):
        service_account = service.projects().serviceAccounts().create(
            name='projects/' + project_id,
            body={
                'accountId': service_account_name,
                'serviceAccount': {
                    'displayName': service_account_name
                }
            }).execute()
        
    print(f'{"Already Exists" if service_account_exists else "Created"} service account: ' + service_account['email'])

    return service_account

失敗並出現錯誤：

 File "/opt/hostedtoolcache/Python/3.9.0/x64/lib/python3.9/site-packages/googleapiclient/_helpers.py", line 131, in positional_wrapper
    return wrapped(*args, **kwargs)   File "/opt/hostedtoolcache/Python/3.9.0/x64/lib/python3.9/site-packages/googleapiclient/discovery.py", line 298, in build
    service = build_from_document(   File "/opt/hostedtoolcache/Python/3.9.0/x64/lib/python3.9/site-packages/googleapiclient/_helpers.py", line 131, in positional_wrapper
    return wrapped(*args, **kwargs)   File "/opt/hostedtoolcache/Python/3.9.0/x64/lib/python3.9/site-packages/googleapiclient/discovery.py", line 600, in build_from_document
    http = _auth.authorized_http(credentials)   File "/opt/hostedtoolcache/Python/3.9.0/x64/lib/python3.9/site-packages/googleapiclient/_auth.py", line 119, in authorized_http
    return credentials.authorize(build_http()) AttributeError: 'tuple' object has no attribute 'authorize'

我正在使用以下 Github 操作向 Google 進行身份驗證

- name: Authenticate to Google Cloud To Create Service Account
  uses: google-github-actions/auth@v0.4.3
  with:
    workload_identity_provider: 'projects/xxx/locations/global/workloadIdentityPools/github-actions-identity-pool/providers/github-provider'
    service_account: 'svc-iam-creator-dev@acme-dev-tooling.iam.gserviceaccount.com'

任何人都可以幫忙嗎？

Answer 1

你有兩個問題。 這行代碼失敗了：

credentials = google.auth.default()

問題 1 - 生成 Google OAuth 訪問令牌

將 GitHub 操作步驟更改為：

- name: Authenticate to Google Cloud To Create Service Account
  uses: google-github-actions/auth@v0.4.3
  with:
    token_format: 'access_token'  # Your python code needs an access token
    access_token_lifetime: '300s' # make this value small but long enough to complete the job
    workload_identity_provider: 'projects/xxx/locations/global/workloadIdentityPools/github-actions-identity-pool/providers/github-provider'
    service_account: 'svc-iam-creator-dev@acme-dev-tooling.iam.gserviceaccount.com'

問題 2 - 創建憑證

此行將不起作用，因為 ADC（應用程序默認憑據）不提供憑據。

credentials = google.auth.default()

將 Workload Identity Federation 生成的訪問令牌從 GitHub 操作 output 傳遞到您的程序：

${{ steps.auth.outputs.access_token }}

從訪問令牌創建憑據：

credentials = google.oauth2.credentials.Credentials(access_token)
service = googleapiclient.discovery.build('iam', 'v1', credentials=credentials)