eat*_*ood 5 python json google-cloud-storage google-cloud-platform
对于 Google Cloud Platform 存储客户端的身份验证,我不想将服务帐户 JSON(您创建的凭据文件)写入磁盘。我想在从所有云实例共享的 Hashicorp Vault 密钥库加载它们后,将它们纯粹保留在内存中。有没有办法直接传递 JSON 凭据,而不是传递类似路径/文件对象?
我了解如何使用类似路径/文件对象来执行此操作,如下所示,但这是我想要避免的(由于安全问题,我宁愿永远不要将它们写入磁盘):
from google.cloud import storage
# set an environment variable that relies on a JSON file
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service_account.json"
# create the client (assumes the environment variable is set)
client = storage.Client()
# alternately, one can create the client without the environment
# variable, but this still relies on a JSON file.
client = storage.Client.from_service_account_json("/path/to/service_account.json")
我试图通过直接引用 JSON 数据 (json_data) 来解决这个问题,但这会引发错误:TypeError: expected str, bytes or os.PathLike object, not dict
json_data = {....[JSON]....}
client = storage.Client.from_service_account_json(json_data)
另外,转储到 JSON,但出现错误:
with io.open(json_credentials_path, "r", encoding="utf-8") as json_fi:
OSError: [Errno 63] File name too long: '{"type": "service_account", "project_id",......
json_data = {....[JSON]....}
client = storage.Client.from_service_account_json(json.dumps(json_data))
根据@johnhanley的建议,我也尝试过:
from google.cloud import storage
from google.oauth2 import service_account
json_data = {...data loaded from keystore...}
type(json_data)
dict
credentials = service_account.Credentials.from_service_account_info(json_data)
type(credentials)
google.oauth2.service_account.Credentials
client = storage.Client(credentials=credentials)
这导致了 DefaultCredentialsError:
raise exceptions.DefaultCredentialsError(_HELP_MESSAGE)
google.auth.exceptions.DefaultCredentialsError: Could not automatically determine credentials. Please set GOOGLE_APPLICATION_CREDENTIALS or explicitly create credentials and re-run the application. For more information, please see https://developers.google.com/accounts/docs/application-default-credentials.
如果您有解决此问题的想法,我很想听听!
Currently there aren't built-in methods in the client library for Cloud Storage to achieve this. So here there would be 2 possibilites:
您还可以考虑使用其他产品,例如Cloud Functions或App Engine,它们允许您在服务级别配置身份验证并避免提供服务帐户凭据。