问题
Is it possible to get an authorization bearer token for a Google Cloud service account without the use of gcloud?
That is, I would like to make an HTTP request (presumably signed in some way by my JSON key file) that would provide me the equivalent of
gcloud auth application-default print-access-token
This request would be made on my own server, where I may not wish to install gcloud and where I do not have access to any internal server metadata that might provide this (e.g., as is the case with Compute Engine).
Is there some oauth endpoint that provides something like this?
Alternately, is there some way to generate long-lived tokens with gcloud?
I'm new to the Google Cloud ecosystem, so excuse my ignorance and terminology...
回答1:
I think that this is exactly what you are looking for:
https://developers.google.com/identity/protocols/OAuth2#serviceaccount
Honestly I don't think that what you were trying to achieve was correct, running
gcloud auth application-default print-access-token
you get a token that is not intended to do what you were looking for:
"This command is useful when you are developing code that would normally use a service account but need to run the code in a local development environment where it's easier to provide user credentials."
This should guide you a bit more in the implementation of this solution: https://developers.google.com/identity/protocols/OAuth2ServiceAccount
回答2:
For your second question, “is there some way to generate long-lived tokens with gcloud?”, no there is not. However, you can use a refresh token to generate new access tokens. Check the first answer for this question:
OAuth2 and Google API: Access token expiration time?
And also, here’s an example of a python library that you can use as an authentication mechanism:
https://github.com/GoogleCloudPlatform/google-auth-library-python/blob/master/google/oauth2/credentials.py
回答3:
Here's what it looks like in golang:
import(
"google.golang.org/api/compute/v1"
"google.golang.org/api/container/v1"
"google.golang.org/api/iterator"
"google.golang.org/api/option"
"google.golang.org/api/transport"
)
ctx := context.Background()
creds, err := transport.Creds(ctx, option.WithScopes(compute.CloudPlatformScope))
token, err := creds.TokenSource.Token()
回答4:
There is no need for a library or an api. You can obtain it using
curl -s "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google" | jq -r .access_token
It is useful if you need it in a shell script.
来源:https://stackoverflow.com/questions/47059976/get-service-account-auth-token-without-gcloud