问题描述
我正在尝试在GKE集群中运行的容器内使用独立的gsutil
工具,但无法使其正常工作.我相信群集具有足够的权限(请参见下文).但是,运行
I'm trying to use the standalone gsutil
tool from within a container running in a GKE cluster, but I cannot get it to work. I believe the cluster has adequate permissions (see below). However, running
./gsutil ls gs://my-bucket/
收益
ServiceException: 401 Anonymous users does not have storage.objects.list access to bucket my-bucket.
我错过了什么吗?我没有.boto
文件,因为我认为它不是必需的,或者是吗?这是群集和节点池具有的作用域的列表:
Am I missing anything? I don't have a .boto
file, as I believe it shouldn't be necessary—or is it? This is the list of scopes that the cluster and the node pool have:
- https://www.googleapis.com/auth/compute
- https://www.googleapis.com/auth/devstorage.full_control
- https://www.googleapis.com/auth/logging.write
- https://www.googleapis.com/auth/monitoring.write
- https://www.googleapis.com/auth/pubsub
- https://www.googleapis.com/auth/servicecontrol
- https://www.googleapis.com/auth/service.management.readonly
- https://www.googleapis.com/auth/trace.append
推荐答案
简短答案:
是的,您需要某种这样的boto文件.
Short answer:
Yes, you'll need some sort of boto file.
长答案:
通常,对于GCE实例,您不需要~/.boto
文件,因为/etc/boto.cfg
文件已经存在-GSUtil使用的Boto库知道默认情况下会查找该文件.在Debian图像上,它包含以下几行:
Long answer:
Generally, for GCE instances, you don't need a ~/.boto
file because the /etc/boto.cfg
file is already present -- the Boto library that GSUtil uses knows to look for this by default. On Debian images, it contains these lines:
# This file is automatically created at boot time by the /usr/lib/python
# 2.7/dist-packages/google_compute_engine/boto/boto_config.pyc script.
# Do not edit this file directly. If you need to add items to this file,
# create or edit /etc/boto.cfg.template instead and then re-run the
# script.
[GSUtil]
default_project_id = <PROJECT NUMBER HERE>
default_api_version = 2
[GoogleCompute]
service_account = default
[Plugin]
plugin_directory = /usr/lib/python2.7/dist-packages/google_compute_engine/boto
如果要在GKE容器上模仿此行为,则必须安装google-compute-engine
python软件包,并带有一个boto文件,该文件告诉gsutil从安装位置加载该插件. ,如上所示.在GCE上(尽管我尚未测试它,但我也假设使用GKE),该插件允许VM与它的元数据服务器进行对话,以获取指定服务帐户的凭据.
If you want to mimic this behavior on your GKE container, you'll have to have the google-compute-engine
python package installed, along with a having a boto file that tells gsutil to load that plugin from where ever it was installed to, as seen above. On GCE (and I'm assuming GKE as well, although I've not tested it), this plugin allows a VM to talk to its metadata server to obtain credentials for the specified service account.
这篇关于在GKE中使用独立的"gsutil"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!