POM 文件详细信息:
<dependency>
<groupId>com.google.auth</groupId>
<artifactId>google-auth-library-appengine</artifactId>
</dependency>
1.2.4.发布
jar 中包含的库: 第 643 行:步骤 #0:[信息] 从中心下载:https://repo.maven.apache.org/maven2/com/google/auth/google-auth-library-oauth2-http/0.21.1/google-auth-library-oauth2-http-0.21.1.pom 第 643 行:步骤 #0:[信息] 从中心下载:https://repo.maven.apache.org/maven2/com/google/auth/google-auth-library-oauth2-http/0.21.1/google-auth-library-oauth2-http-0.21.1.pom
环境细节
- 操作系统:Debian
- Java 版本:11
- google-auth-library-java 版本:0.21.1
重现步骤
- 上传 GCS 存储桶中的文件。
- 尝试使用下面给出的代码下载它。 堆栈跟踪
com.google.auth.ServiceAccountSigner$SigningException: Failed to sign the provided bytes
at com.google.auth.oauth2.IamUtils.sign(IamUtils.java:87)
at com.google.auth.oauth2.ComputeEngineCredentials.sign(ComputeEngineCredentials.java:361)
at com.google.cloud.storage.StorageImpl.signUrl(StorageImpl.java:772)
at com.google.cloud.storage.Blob.signUrl(Blob.java:822)
Caused by: java.io.IOException: Error code 403 trying to sign provided bytes: The caller does not have permission
at com.google.auth.oauth2.IamUtils.getSignature(IamUtils.java:125)
at com.google.auth.oauth2.IamUtils.sign(IamUtils.java:84)
... 69 more
代码片段
// [START auth_cloud_explicit_compute_engine]
public Storage authCompute() throws IOException {
// Explicitly request service account credentials from the compute engine
// instance.
//GoogleCredentials credentials = ComputeEngineCredentials.create();
GoogleCredentials credentials = ComputeEngineCredentials.getApplicationDefault();
Storage storage = StorageOptions.newBuilder().setCredentials(credentials).build().getService();
System.out.println("Buckets:");
Page<Bucket> buckets = storage.list();
for (Bucket bucket : buckets.iterateAll()) {
System.out.println(bucket.toString());
}
return storage;
}
// [END auth_cloud_explicit_compute_engine]
Storage storage = authUtil.authCompute();
Blob blob = storage.get(BlobId.of(bucketName, objectName));
return blob.signUrl(urlExpirationTime, TimeUnit.MILLISECONDS);
我的应用程序部署在 GKE 上。从那里我们正在尝试下载/获取签名 url 文件,即存储在 GCS 中。
最佳答案
ComputeEngineCredentials 使用 IAM sign blob API 调用,因此正在使用的服务帐户需要具有 iam.serviceAccounts.signBlob 权限。根据您的设置,这可能是 GKE 的默认服务帐户或工作负载身份。
关于google-kubernetes-engine - 403 试图签署提供的字节 : The caller does not have permission,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/63503247/