Google app engine 从服务帐户进行身份验证时访问IAP资源时出错-502服务器错误_Google App Engine_Google Authentication_Google Iap

Google app engine 从服务帐户进行身份验证时访问IAP资源时出错-502服务器错误

google-app-engine

Google app engine 从服务帐户进行身份验证时访问IAP资源时出错-502服务器错误,google-app-engine,google-authentication,google-iap,Google App Engine,Google Authentication,Google Iap,我们正在尝试实现服务器到服务器的身份验证，并根据文档访问IAP资源当我们执行上述代码时，会出现以下错误 Traceback (most recent call last): File "/env/lib/python3.7/site-packages/gunicorn/workers/gthread.py", line 271, in handle keepalive = self.handle_request(req, conn) File "/env/lib/python3.7/site-

我们正在尝试实现服务器到服务器的身份验证，并根据文档访问IAP资源

当我们执行上述代码时，会出现以下错误

Traceback (most recent call last): File "/env/lib/python3.7/site-packages/gunicorn/workers/gthread.py", line 271, in handle keepalive = self.handle_request(req, conn) File "/env/lib/python3.7/site-packages/gunicorn/workers/gthread.py", line 320, in handle_request respiter = self.wsgi(environ, resp.start_response) 
File "/env/lib/python3.7/site-packages/flask/app.py", line 2463, in __call__ return self.wsgi_app(environ, start_response) File "/env/lib/python3.7/site-packages/flask/app.py", 
line 2449, in wsgi_app response = self.handle_exception(e) 
File "/env/lib/python3.7/site-packages/flask/app.py", 
line 1866, in handle_exception reraise(exc_type, exc_value, tb) 
File "/env/lib/python3.7/site-packages/flask/_compat.py", 
line 39, in reraise raise value File "/env/lib/python3.7/site-packages/flask/app.py", 
line 2446, in wsgi_app response = self.full_dispatch_request() 
File "/env/lib/python3.7/site-packages/flask/app.py", 
line 1951, in full_dispatch_request rv = self.handle_user_exception(e) 
File "/env/lib/python3.7/site-packages/flask/app.py", line 1820, in handle_user_exception reraise(exc_type, exc_value, tb) 
File "/env/lib/python3.7/site-packages/flask/_compat.py", line 39, in reraise raise value File "/env/lib/python3.7/site-packages/flask/app.py", line 1949, in full_dispatch_request rv = self.dispatch_request() File "/env/lib/python3.7/site-packages/flask/app.py", line 1935, in dispatch_request return self.view_functions[rule.endpoint](**req.view_args) File "/srv/controllers/migratedata.py", line 84, in migrate_data response = authenticate_obj.make_iap_request(url, client_id) 
File "/srv/controllers/authentication/iap_authentication.py", line 107, in make_iap_request resp.status_code, resp.headers, resp.text)) 
Exception: Bad response from application: 502 / {'Content-Type': 'text/html; charset=UTF-8', 'Referrer-Policy': 'no-referrer', 'Content-Length': '1613', 'Date': 'Fri, 15 Nov 2019 00:44:06 GMT', 'Alt-Svc': 'quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000'} / '<!DOCTYPE html>\n<html lang=en>\n <meta charset=utf-8>\n <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
\n <title>Error 502 (Server Error)!!1</title>\n <style>\n *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}\n </style>\n <a href=//www.google.com/><span id=logo aria-label=Google></span></a>\n <p><b>502.</b> <ins>That’s an error.</ins>
\n <p>The server encountered a temporary error and could not complete your request.<p>Please try again in 30 seconds. <ins>That’s all we know.

我们使用以下函数来接收OpenID连接令牌

def get_google_open_id_connect_token(self,service_account_credentials):
    """Get an OpenID Connect token issued by Google for the service account.

    This function:

    1. Generates a JWT signed with the service account's private key
     containing a special "target_audience" claim.

    2. Sends it to the OAUTH_TOKEN_URI endpoint. Because the JWT in #1
     has a target_audience claim, that endpoint will respond with
     an OpenID Connect token for the service account -- in other words,
     a JWT signed by *Google*. The aud claim in this JWT will be
     set to the value from the target_audience claim in #1.

    For more information, see
    https://developers.google.com/identity/protocols/OAuth2ServiceAccount .
    The HTTP/REST example on that page describes the JWT structure and
    demonstrates how to call the token endpoint. (The example on that page
    shows how to get an OAuth2 access token; this code is using a
    modified version of it to get an OpenID Connect token.)
    """

    service_account = service_account_credentials._make_authorization_grant_assertion()
    request = google.auth.transport.requests.Request()
    body = {
        'assertion': service_account,
        'grant_type': google.oauth2._client._JWT_GRANT_TYPE,
    }
    token_response = google.oauth2._client._token_endpoint_request(request, OAUTH_TOKEN_URI, body)
    return token_response['id_token']

请在此处找到Project-B的IAP配置。IAP受保护的web应用程序用户是project-A@appspot.gserviceaccount.com-项目A的默认服务帐户。

根据您提供的代码，您似乎没有使用合适的路径初始化变量

OAUTH\u TOKEN\u URI

和

IAM\u SCOPE

：

IAM_SCOPE = 'https://www.googleapis.com/auth/iam'
OAUTH_TOKEN_URI = 'https://www.googleapis.com/oauth2/v4/token'

编辑：

您是否也可以确认您已经为您尝试访问的App Engine实例创建了一个应用程序？我以前在IAP未启用的情况下看到了这一错误

从您提供的代码来看，您似乎没有使用合适的路径初始化变量

OAUTH_TOKEN_URI

和

IAM_SCOPE

：

IAM_SCOPE = 'https://www.googleapis.com/auth/iam'
OAUTH_TOKEN_URI = 'https://www.googleapis.com/oauth2/v4/token'

编辑：

您是否也可以确认您已经为您尝试访问的App Engine实例创建了一个应用程序？我以前在IAP未启用的情况下看到了这一错误

服务帐户权限至少应为IAP安全的web app用户。更具体地说。

服务帐户权限至少应为IAP安全的web app用户。有关更具体的信息。

请提供您在何处进行身份验证的代码（当然是经过消毒的）？如何生成JWT、请求OIDC等？您是否创建了一个新的服务帐户或正在使用默认帐户？请提供您在何处进行身份验证的代码（当然是经过消毒的）？如何生成JWT、请求OIDC等？您是否创建了新的服务帐户或正在使用默认帐户？这两个变量都在类中（我已编辑我的问题以包含它们）。您是否可以确认您已为您尝试访问的App Engine实例实际启用IAP:？在此之前，我在IAP未启用的情况下看到了这一错误。已确认。我已将GCP控制台中的IAP设置附加到该问题。我复制了此场景，并面临500个响应，因为project A中我的应用程序引擎的服务帐户不具有服务帐户令牌创建者的IAM角色。您能否尝试将此角色添加到您的服务帐户并重试？-我能够像你一样重现准确的堆栈跟踪。一切似乎都有问题，所以我决定创建一个问题跟踪程序，以进一步更新有关此问题的信息。你可以在这里查看：这两个变量都在类中（我已经编辑了我的问题以包含它们）。你能确认你已经为你试图访问的App Engine实例启用了IAP吗：？在此之前，我在IAP未启用的情况下看到了这一错误。已确认。我已将GCP控制台中的IAP设置附加到该问题。我复制了此场景，并面临500个响应，因为project A中我的应用程序引擎的服务帐户不具有服务帐户令牌创建者的IAM角色。您能否尝试将此角色添加到您的服务帐户并重试？-我能够像你一样重现准确的堆栈跟踪。一切似乎都有问题，所以我决定创建一个问题跟踪程序，以进一步更新有关此问题的信息。您可以在这里查看：

IAM_SCOPE = 'https://www.googleapis.com/auth/iam'
OAUTH_TOKEN_URI = 'https://www.googleapis.com/oauth2/v4/token'