在docker镜像上验证Google Cloud服务帐户

Question

我在docker镜像内外发现了不同的行为,用于验证Google服务帐户.

外.成功.

C:\Users\Ben\AppData\Local\Google\Cloud SDK>gcloud auth activate-service-account 773889352370-compute@developer.gserviceaccount.com --key-file C:/Users/Ben/Dropbox/Google/MeerkatReader-d77c0d6aa04f.json --project api-project-773889352370
Activated service account credentials for: [773889352370-compute@developer.gserviceaccount.com]

运行docker容器,将.json密钥传递给tmp目录.

C:\Users\Ben\AppData\Local\Google\Cloud SDK>docker run -it -v C:/Users/Ben/Dropbox/Google/MeerkatReader-d77c0d6aa04f.json:/tmp/MeerkatReader-d77c0d6aa04f.json  --rm -p "127.0.0.1:8080:8080" --entrypoint=/bin/bash  gcr.io/cloud-datalab/datalab:local-20161227

在docker中,确认文件在那里

root@4a4a9314f15c:/tmp# ls
MeerkatReader-d77c0d6aa04f.json  npm-24-b7aa1bcf  npm-45-fd13ef7c  npm-7-22ec336e

运行与以前相同的命令.失败.

root@4a4a9314f15c:/tmp# gcloud auth activate-service-account 773889352370-compute@developer.gserviceaccoun
t.com --key-file MeerkatReader-d77c0d6aa04f.json --project api-project-773889352370
ERROR: (gcloud.auth.activate-service-account) Failed to activate the given service account. Please ensure provided key file is valid.

什么可能导致此错误？更广泛地说,建议的传递凭证的策略是什么.我试过这个,它也失败了.我正在使用cloudml API和云视觉,我想在每次运行开始时避免使用手动gcloud init.

编辑:显示gcloud信息

root@7ff49b26484f:/# gcloud info --run-diagnostics
Network diagnostic detects and fixes local network connection issues.
Checking network connection...done.
Reachability Check passed.
Network diagnostic (1/1 checks) passed.

确认同样的行为

root@7ff49b26484f:/tmp# gcloud auth activate-service-account 773889352370-compute@developer.gserviceaccount.com --key-file MeerkatReader-d77c0d6aa04f.json --project api-project-773889352370
ERROR: (gcloud.auth.activate-service-account) Failed to activate the given service account. Please ensure provided key file is valid.

Answer 1

这可能是由于docker VM的时钟偏差造成的.我调试了google SDK的activate-service-account功能,并收到以下错误消息:

There was a problem refreshing your current auth tokens: invalid_grant:  
Invalid JWT: Token must be a short-lived token and in a reasonable timeframe
Please run:
$ gcloud auth login

to obtain new credentials, or if you have already logged in with a different account:

$ gcloud config set account ACCOUNT

to select an already authenticated account to use.

重新启动VM后,它就像一个魅力.

Answer 2

您是否尝试从一开始就将凭证放入图像中？这是类似的结果吗？

另一方面，您尝试过使用吗--key-file /tmp/MeerkatReader-d77c0d6aa04f.json？因为看起来您正在将 json 文件放入/tmp.

您还可以考虑检查容器内部的网络配置以及从外部使用 docker 检查网络配置。