Google cloud platform 谷歌云-使用JWT令牌访问存储API：非法URI错误_Google Cloud Platform_Google Api_Google Cloud Functions_Google Cloud Storage

Google cloud platform 谷歌云-使用JWT令牌访问存储API：非法URI错误

google-cloud-platform google-api google-cloud-storage

Google cloud platform 谷歌云-使用JWT令牌访问存储API：非法URI错误,google-cloud-platform,google-api,google-cloud-functions,google-cloud-storage,Google Cloud Platform,Google Api,Google Cloud Functions,Google Cloud Storage,我正在尝试使用下面列出的示例对存储API进行JWT调用，并做了一些更改- def generate_jwt(): """Generates a signed JSON Web Token using a Google API Service Account.""" now = int(time.time()) sa_email = os.environ["FUNCTION_IDENTITY"] expiry_le

我正在尝试使用下面列出的示例对存储API进行JWT调用，并做了一些更改-

def generate_jwt():

"""Generates a signed JSON Web Token using a Google API Service Account."""

now = int(time.time())
sa_email = os.environ["FUNCTION_IDENTITY"]
expiry_length = 3600

# build payload
payload = {
    'iat': now,
    # expires after 'expiry_length' seconds.
    "exp": now + expiry_length,
    # iss must match 'issuer' in the security configuration in your
    # swagger spec (e.g. service account email). It can be any string.
    'iss': sa_email,
    # aud must be either your Endpoints service name, or match the value
    # specified as the 'x-google-audience' in the OpenAPI document.
    'aud': "https://storage.googleapis.com", 
    # sub and email should match the service account's email address
    'sub': sa_email,
    'email': sa_email
    
}
# sign with keyfile
sa_keyfile="cred.json"
signer = google.auth.crypt.RSASigner.from_service_account_file(sa_keyfile)
jwt = google.auth.jwt.encode(signer, payload)
return jwt

在这里叫它

def make_jwt_request(signed_jwt, url="https://storage.googleapis.com/storage/v1/b/BUCKET_NAME"):
"""Makes an authorized request to the endpoint"""
headers = {
    'Authorization': 'Bearer {}'.format(signed_jwt.decode('utf-8')),
    'content-type': 'application/json',
    "Host": "www.googleapis.com",
}
response = requests.get(url, headers=headers)
print(response.status_code, response.content)
response.raise_for_status()

但是获取错误as无法解析指定的URI。非法URI

我不明白为什么它是非法的URI。我试过了，但还是一样的错误。在SO或google文档中找不到关于此的任何信息。知道我在这里做错了什么吗？

谷歌云存储不接受签名的JWT授权。创建签名JWT后，必须将JWT交换为访问令牌

有关Python的完整示例，请参阅我的答案或我的

def exchangeJwtForAccessToken(signed_jwt):
    '''
    This function takes a Signed JWT and exchanges it for a Google OAuth Access Token
    '''

    auth_url = "https://www.googleapis.com/oauth2/v4/token"

    params = {
        "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
        "assertion": signed_jwt
    }

    r = requests.post(auth_url, data=params)

    if r.ok:
        return(r.json()['access_token'], '')

    return None, r.text

谷歌云存储不接受签名JWT进行授权。创建签名JWT后，必须将JWT交换为访问令牌

有关Python的完整示例，请参阅我的答案或我的

def exchangeJwtForAccessToken(signed_jwt):
    '''
    This function takes a Signed JWT and exchanges it for a Google OAuth Access Token
    '''

    auth_url = "https://www.googleapis.com/oauth2/v4/token"

    params = {
        "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
        "assertion": signed_jwt
    }

    r = requests.post(auth_url, data=params)

    if r.ok:
        return(r.json()['access_token'], '')

    return None, r.text

谷歌云存储不接受签名JWT进行授权。创建签名JWT后，必须将JWT交换为访问令牌。请参阅我在这里关于如何在Python中执行此操作的回答。查看我的函数

exchangeJwtForAccessToken（）

：@JohnHanley-谢谢，只是一个后续问题-是否可以基于经过身份验证的令牌标识存储桶。原因是我不想在这里硬编码bucket name？访问令牌根据作用域授予访问权限。您不能在令牌中嵌入bucket名称。必须通过API端点指定bucket名称。Bucket名称是全局公共名称。@约翰汉利您能否添加您的评论作为答案，我很乐意为您投票answer@vicalderon-谢谢，回复贴出。谷歌云存储不接受签名JWT进行授权。创建签名JWT后，必须将JWT交换为访问令牌。请参阅我在这里关于如何在Python中执行此操作的回答。查看我的函数

exchangeJwtForAccessToken（）