GCloud App Engine（靈活）默認服務帳戶 Scope

Question

我正在嘗試使用默認服務帳戶從 GCP App Engine 靈活環境中運行的服務連接到谷歌日歷。 我已經設置了正確的 scope 訪問日歷所需的只讀事件（ https://www.googleapis.com/auth/calendar.events.readonly ）並且我能夠在模擬服務帳戶時在本地訪問日歷。

我的服務在 java spring 啟動時運行並出現以下錯誤

{
  "message": "Request had insufficient authentication scopes.",
  "status": "PERMISSION_DENIED",
  "details": [
  {
    "@type": "type.googleapis.com/google.rpc.ErrorInfo",
    "reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT",
    "domain": "googleapis.com",
    "metadata": {
      "service": "calendar-json.googleapis.com",
      "method": "calendar.v3.Events.List"
    }
  }
}

代碼片段

val scopes = listOf("https://www.googleapis.com/auth/calendar.events.readonly")
val credentialsProvider = GoogleCredentialsProvider.newBuilder().setScopesToApply(scopes).build()

val calendarService = Calendar.Builder(GoogleNetHttpTransport.newTrustedTransport(),
                                GsonFactory.getDefaultInstance(),
                                HttpCredentialsAdapter(credentialsProvider.credentials))
            .setApplicationName(applicationName)
            .build()

calendarService.events().list(config.calendarId)
            .setSingleEvents(true)
            .setTimeMin(DateTime(Date()))
            .setMaxResults(4)
            .execute()

依賴項

• com.google.cloud:spring-cloud-gcp-dependencies:3.1.0
• org.springframework.cloud:spring-cloud-dependencies:2021.0.1
• com.google.cloud:spring-cloud-gcp-starter
• com.google.auth:google-auth-library-appengine
• com.google.appengine:appengine-api-1.0-sdk
• com.google.apis:google-api-services-calendar:v3-rev411-1.25.0

我試過的

我直接訪問了應用程序實例上的元數據端點以檢查提供的令牌。 只找出給定的令牌沒有指定的日歷 scope。

$ curl -s "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar.events.readonly" -H 'Metadata-Flavor: Google'
{"access_token":"ya29.xxxxxx....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................","expires_in":3518,"token_type":"Bearer"}

$ curl -H "Content-Type: application/x-www-form-urlencoded" -d "access_token=$token" https://www.googleapis.com/oauth2/v1/tokeninfo
{
  "issued_to": "xxxxxxx",
  "audience": "xxxxxxx",
  "scope": "https://www.googleapis.com/auth/logging.write https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/devstorage.full_control https://www.googleapis.com/auth/appengine.apis",
  "expires_in": 3493,
  "email": "<project-id>@appspot.gserviceaccount.com",
  "verified_email": true,
  "access_type": "online"
}

Answer 1

Google Compute Engine 實例可以擁有受訪問范圍限制的服務帳戶的權限。

您列出的范圍是默認訪問范圍鏈接。 這意味着您添加的范圍會被 VM 實例設置過濾掉。

在 Google Cloud Console GUI 中，將 VM 實例的訪問范圍更改為Allow full access to all Cloud APIs 。 您也可以使用 CLI 鏈接。