All geek questions in one place

Unable to access Google Cloud storage from Google Kubernetes Engine cluster

I have a simple application that receives and displays information from a data warehouse.

It works all over the place, but when I run it from within the Kubernetes Engine cluster, I get this output:

Error from Get()
rpc error: code = PermissionDenied desc = Request had insufficient authentication scopes.
Error from Put()
rpc error: code = PermissionDenied desc = Request had insufficient authentication scopes.

I am using the cloud.google.com/go/datastoreGo package and language.

I don’t know why I am getting this error, since the application works everywhere, just fine.

Update:

Looking for an answer, I found this comment on Google Groups:

To use Cloud Datastore from GCE, the instance must have several additional areas. They cannot be added to existing GCE instances, but you can create a new one using the following Cloud SDK command:

gcloud hello-datastore --project  - zone --scope datastore userinfo-email

, Datastore GKE ?

2:

, ( ). , :

gTx4i.png

, CloudSQL , ( cloudsql_proxy).

+6
3

, , , :

  • Kubernetes GCE, .

  • , , , Pods - .

  • node ( ), , , GCP, Datastore.

  • node gcloud, , node ( ).

, , , JSON, Kubernetes, , Datastore GOOGLE_APPLICATION_CREDENTIALS JSON.

, , GOOGLE_APPLICATION_CREDENTIALS Datastore API JSON, .

YAML:

  ...
  containers:
  - image: foo
    name: foo
    env:
    - name: GOOGLE_APPLICATION_CREDENTIALS
      value: /auth/credentials.json
    volumeMounts:
    - name: foo-service-account
      mountPath: "/auth"
      readOnly: true
  volumes:
  - name: foo-service-account
    secret:
      secretName: foo-service-account
+10

. , Google:

  1. gcloud iam service-accounts create [SERVICE_ACCOUNT_NAME]

  2. iam

    gcloud iam service-accounts list

    :

    [SERVICE_ACCOUNT_NAME]@[PROJECT_NAME].iam.gserviceaccount.com

  3. gcloud projects add-iam-policy-binding [PROJECT_NAME] --member serviceAccount:[SERVICE_ACCOUNT_NAME]@[PROJECT_NAME].iam.gserviceaccount.com --role roles/owner

  4. gcloud iam service-accounts keys create mycredentials.json --iam-account [SERVICE_ACCOUNT_NAME]@[PROJECT_NAME].iam.gserviceaccount.com

  5. app-key

    kubectl create secret generic app-key --from-file=credentials.json=mycredentials.json

    app-key deploy.yaml

  6. deyployment

deployment.yaml:

...
spec:
 containers:
 - name: app
   image: eu.gcr.io/google_project_id/springapplication:v1
   volumeMounts:
   - name: google-cloud-key
     mountPath: /var/secrets/google
   env:
   - name: GOOGLE_APPLICATION_CREDENTIALS
     value: /var/secrets/google/credentials.json
   ports:
   - name: http-server
     containerPort: 8080
 volumes:
 - name: google-cloud-key
   secret:
     secretName: app-key
0

Dockerfile, :

FROM SCRATCH
ADD main /
EXPOSE 80
CMD ["/main"]

GCP go "". , SCRATCH Docker // , Google. Dockerfile :

FROM golang:alpine
RUN apk add --no-cache ca-certificates
ADD main /
EXPOSE 80
CMD ["/main"]

I do not need to specify the Google Credentials environment variable. The library seems to automatically understand where it works (perhaps from context.Background ()?) And automatically use the default service account that Google creates for you when creating the cluster in GKE.

0
source

Source: https://habr.com/ru/post/1690183/

More articles:


All Articles