403尝试签名提供的字节:调用者没有权限

编程问答 2022-08-15

问题描述

POM文件详细信息:

      <dependency>
    <groupId>com.google.auth</groupId>
    <artifactId>google-auth-library-appengine</artifactId>
</dependency>

1.2.4。发布

罐子中包含的库: 第643行:步骤#0:[INFO]从中央下载:https://repo.maven.apache.org/maven2/com/google/auth/google-auth-library-oauth2-http/0.21.1/google-auth-library-oauth2-http-0.21.1.pom 643行:第0步:[INFO]从中央下载:https://repo.maven.apache.org/maven2/com/google/auth/google-auth-library-oauth2-http/0.21.1/google-auth-library-oauth2-http-0.21.1.pom

环境详细信息

  • 操作系统:Debian
  • Java版本:11
  • google-auth-library-java版本:0.21.1

复制步骤

  • 在GCS存储桶中上传文件
  • 尝试使用下面给出的代码下载它。 Stacktrace 
com.google.auth.ServiceAccountSigner$SigningException: Failed to sign the provided bytes
at com.google.auth.oauth2.IamUtils.sign(IamUtils.java:87)
at com.google.auth.oauth2.ComputeEngineCredentials.sign(ComputeEngineCredentials.java:361)
at com.google.cloud.storage.StorageImpl.signUrl(StorageImpl.java:772)
at com.google.cloud.storage.Blob.signUrl(Blob.java:822)

Caused by: java.io.IOException: Error code 403 trying to sign provided bytes: The caller does not have permission
at com.google.auth.oauth2.IamUtils.getSignature(IamUtils.java:125)
at com.google.auth.oauth2.IamUtils.sign(IamUtils.java:84)
... 69 more

代码

// [START auth_cloud_explicit_compute_engine]
public Storage authCompute() throws IOException {
// Explicitly request service account credentials from the compute engine
// instance.
//GoogleCredentials credentials = ComputeEngineCredentials.create();
GoogleCredentials credentials = ComputeEngineCredentials.getApplicationDefault();
Storage storage = StorageOptions.newBuilder().setCredentials(credentials).build().getService();

    System.out.println("Buckets:");
    Page<Bucket> buckets = storage.list();
    for (Bucket bucket : buckets.iterateall()) {
        System.out.println(bucket.toString());
    }
    return storage;
}
// [END auth_cloud_explicit_compute_engine]
Storage storage = authUtil.authCompute();
Blob blob = storage.get(BlobId.of(bucketName,objectName));
return blob.signUrl(urlExpirationTime,TimeUnit.MILLISECONDS);

我的应用程序已部署在GKE上。我们从那里尝试下载/获取签名的url文件,即存储在GCS中的文件

解决方法

ComputeEngineCredentials使用IAM符号blob API调用,因此所使用的服务帐户需要具有iam.serviceAccounts.signBlob权限。根据您的设置,这可能是GKE或工作负载标识的默认服务帐户。

google-kubernetes-engine