【发布时间】:2014-05-14 10:42:02
【问题描述】:
当您在 Google Compute Engine 中创建实例 A 时,它将获得预定义的“默认”服务帐户(这基本上意味着您可以从 A 查询 google API,并使用“默认”服务帐户进行身份验证)。 我想做的是使用服务帐户设置 GCE 实例,这与默认帐户不同。考虑到 GCE API,这在概念上应该是可行的,但会因异常而失败:
{
"name": "operation-1400060483459-4f958fbc7d7b9-cd817778-b80d1cad",
"operationType": "insert",
"status": "DONE",
"user": "some_name@developer.gserviceaccount.com",
"error": {
"errors": [ {
"code": "SERVICE_ACCOUNT_ACCESS_DENIED",
"message": "The user does not have access to service account 'some_name@developer.gserviceaccount.com'"
} ] } }
这是我在 python 中的代码,用于设置实例:
discovery_service = discovery.build('compute',
config['compute_api_version'],
http=SignedJwtAssertionCredentials(
service_account_name="some_name@developer.gserviceaccount.com",
private_key=key_data,
scope='https://www.googleapis.com/auth/compute')
.authorize(httplib2.Http()))
instance = {}
# sets instance configuration details here
# ...
# ...
instance['serviceAccounts'] = [{
'email': "some_name@developer.gserviceaccount.com",
'scopes': ['https://www.googleapis.com/auth/devstorage.full_control',
'https://www.googleapis.com/auth/compute',
'https://www.googleapis.com/auth/userinfo.email', ]
}]
discovery_service.instances().insert(project=project, zone=zone, body=instance)
其中最奇怪的部分是,异常显示“用户无权访问服务帐户 'some_name@developer.gserviceaccount.com'”,但它所指的“用户”是 'some_name@developer.gserviceaccount .com' 本身!这意味着“some_name@developer.gserviceaccount.com”无权访问“some_name@developer.gserviceaccount.com”,这没有任何意义。
【问题讨论】:
-
你能解决这个问题吗?
标签: python google-compute-engine