[英]GCloud App Engine (flexible) Default Service Account Scope
我正在嘗試使用默認服務帳戶從 GCP App Engine 靈活環境中運行的服務連接到谷歌日歷。 我已經設置了正確的 scope 訪問日歷所需的只讀事件( https://www.googleapis.com/auth/calendar.events.readonly
)並且我能夠在模擬服務帳戶時在本地訪問日歷。
我的服務在 java spring 啟動時運行並出現以下錯誤
{
"message": "Request had insufficient authentication scopes.",
"status": "PERMISSION_DENIED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT",
"domain": "googleapis.com",
"metadata": {
"service": "calendar-json.googleapis.com",
"method": "calendar.v3.Events.List"
}
}
}
val scopes = listOf("https://www.googleapis.com/auth/calendar.events.readonly")
val credentialsProvider = GoogleCredentialsProvider.newBuilder().setScopesToApply(scopes).build()
val calendarService = Calendar.Builder(GoogleNetHttpTransport.newTrustedTransport(),
GsonFactory.getDefaultInstance(),
HttpCredentialsAdapter(credentialsProvider.credentials))
.setApplicationName(applicationName)
.build()
calendarService.events().list(config.calendarId)
.setSingleEvents(true)
.setTimeMin(DateTime(Date()))
.setMaxResults(4)
.execute()
依賴項
我直接訪問了應用程序實例上的元數據端點以檢查提供的令牌。 只找出給定的令牌沒有指定的日歷 scope。
$ curl -s "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar.events.readonly" -H 'Metadata-Flavor: Google'
{"access_token":"ya29.xxxxxx....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................","expires_in":3518,"token_type":"Bearer"}
$ curl -H "Content-Type: application/x-www-form-urlencoded" -d "access_token=$token" https://www.googleapis.com/oauth2/v1/tokeninfo
{
"issued_to": "xxxxxxx",
"audience": "xxxxxxx",
"scope": "https://www.googleapis.com/auth/logging.write https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/devstorage.full_control https://www.googleapis.com/auth/appengine.apis",
"expires_in": 3493,
"email": "<project-id>@appspot.gserviceaccount.com",
"verified_email": true,
"access_type": "online"
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.