Jos*_*ker 5 security google-cloud-platform gcloud
注销 Google Cloud似乎应该很容易。如果我运行:
$ unset GOOGLE_APPLICATION_CREDENTIALS
$ gcloud auth revoke --all
Revoked credentials:
- [my account]
$ gcloud auth list
No credentialed accounts.
To login, run:
$ gcloud auth login `ACCOUNT`
乍一看我好像完全退出了gcloud。但是看看当我打开 Python shell 时会发生什么:
>>> from google.cloud import secretmanager_v1beta1 as secretmanager
>>> client = secretmanager.SecretManagerServiceClient()
/Users/my/path/.venv/lib/python3.7/site-packages/google/auth/_default.py:66: UserWarning: Your application has authenticated using end user credentials from Google Cloud SDK. We recommend that most server applications use service accounts instead. If your application continues to use end user credentials from Cloud SDK, you might receive a "quota exceeded" or "API not enabled" error. For more information about service accounts, see https://cloud.google.com/docs/authentication/
warnings.warn(_CLOUD_SDK_CREDENTIALS_WARNING)
>>> path = client.secret_version_path(project="my-project-name", secret="my-secret", secret_version="latest")
>>> secret = client.access_secret_version(path)
>>> secret.payload.data.decode()
"Oh, no! I should be secret!"
正如您所看到的,即使我运行了,gcloud auth revoke --all我仍然可以使用存储在某处的用户凭据通过 Python SDK 访问 Google Cloud。有没有办法在我的笔记本电脑上完全注销 Google Cloud?
编辑:进一步澄清:这台计算机上没有保存任何 Google Cloud Service 帐户 JSON 文件,并且我已取消设置GOOGLE_APPLICATION_CREDENTIALS环境变量。
我不确定这是否会对您有任何帮助,但我遇到了类似的问题。使用该命令撤销所有凭据后,gcloud auth revoke --all我仍然可以针对我的环境执行脚本。最后,我发现应用程序默认凭据文件位于~/.config/gcloud/application_default_credentials.json。重命名或删除此文件有助于完全撤销凭据。现在客户端库无法访问环境:
File "audit_test.py", line 8, in main
client = resource_manager.Client()
File "fake_path/python3.7/site-packages/google/cloud/resource_manager/client.py", line 72, in __init__
super(Client, self).__init__(credentials=credentials, _http=_http)
File "fake_path/python3.7/site-packages/google/cloud/client.py", line 132, in __init__
credentials, _ = google.auth.default()
File "fake_path/python3.7/site-packages/google/auth/_default.py", line 321, in default
raise exceptions.DefaultCredentialsError(_HELP_MESSAGE)
google.auth.exceptions.DefaultCredentialsError: Could not automatically determine credentials. Please set GOOGLE_APPLICATION_CREDENTIALS or explicitly create credentials and re-run the application. For more information, please see https://cloud.google.com/docs/authentication/getting-started
| 归档时间: |
|
| 查看次数: |
18969 次 |
| 最近记录: |