GCP:使用服务帐户JSON时“无效的JWT签名”
GCP:使用服务帐户JSON时“无效的JWT签名”
提问于 2020-09-30 10:26:02
我正在使用谷歌的gRPC库来访问我的GCP域的数据。我的代码使用服务帐户JSON密钥执行身份验证。它运行了大约一个月,直到最近,我开始在我试图执行的任何操作中收到以下错误:
{"error":"invalid_grant","error_description":"Invalid JWT Signature."}我应该注意,身份验证过程的执行没有错误,创建服务对象也是如此(参见下面的Java代码示例)。当我试图执行任何数据访问操作(例如下面示例中的listSecrets方法)时,会引发错误。
在网上搜索这个问题时,我发现主要的答案是指向系统时间/时区错误;然而,我的计算机上的数据和时区是完全准确的。有什么建议吗?
我的Java代码示例:
String projectId = "my-project";
GoogleCredentials credentials = GoogleCredentials.fromStream(new FileInputStream("C:\\Users\\elisha.l\\Downloads\\co-club-project-01-3588a3330456.json"));
SecretManagerServiceClient client = SecretManagerServiceClient.create();
ProjectName parent = ProjectName.of(projectId);
ListSecretsPagedResponse response = client.listSecrets(parent);错误的堆栈跟踪:
Exception in thread "main" com.google.api.gax.rpc.UnavailableException: io.grpc.StatusRuntimeException: UNAVAILABLE: Credentials failed to obtain metadata
at com.google.api.gax.rpc.ApiExceptionFactory.createException(ApiExceptionFactory.java:69)
at com.google.api.gax.grpc.GrpcApiExceptionFactory.create(GrpcApiExceptionFactory.java:72)
at com.google.api.gax.grpc.GrpcApiExceptionFactory.create(GrpcApiExceptionFactory.java:60)
at com.google.api.gax.grpc.GrpcExceptionCallable$ExceptionTransformingFuture.onFailure(GrpcExceptionCallable.java:97)
at com.google.api.core.ApiFutures$1.onFailure(ApiFutures.java:68)
at com.google.common.util.concurrent.Futures$CallbackListener.run(Futures.java:1050)
at com.google.common.util.concurrent.DirectExecutor.execute(DirectExecutor.java:30)
at com.google.common.util.concurrent.AbstractFuture.executeListener(AbstractFuture.java:1176)
at com.google.common.util.concurrent.AbstractFuture.complete(AbstractFuture.java:969)
at com.google.common.util.concurrent.AbstractFuture.setException(AbstractFuture.java:760)
at io.grpc.stub.ClientCalls$GrpcFuture.setException(ClientCalls.java:563)
at io.grpc.stub.ClientCalls$UnaryStreamToFuture.onClose(ClientCalls.java:533)
at io.grpc.internal.ClientCallImpl.closeObserver(ClientCallImpl.java:434)
at io.grpc.internal.ClientCallImpl.access$500(ClientCallImpl.java:66)
at io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl$1StreamClosed.runInternal(ClientCallImpl.java:763)
at io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl$1StreamClosed.runInContext(ClientCallImpl.java:742)
at io.grpc.internal.ContextRunnable.run(ContextRunnable.java:37)
at io.grpc.internal.SerializingExecutor.run(SerializingExecutor.java:123)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(Unknown Source)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Suppressed: com.google.api.gax.rpc.AsyncTaskException: Asynchronous task failed
at com.google.api.gax.rpc.ApiExceptions.callAndTranslateApiException(ApiExceptions.java:57)
at com.google.api.gax.rpc.UnaryCallable.call(UnaryCallable.java:112)
at com.google.cloud.secretmanager.v1.SecretManagerServiceClient.listSecrets(SecretManagerServiceClient.java:245)
at com.google.cloud.secretmanager.v1.SecretManagerServiceClient.listSecrets(SecretManagerServiceClient.java:196)
at google.Secret.main(Secret.java:26)
Caused by: io.grpc.StatusRuntimeException: UNAVAILABLE: Credentials failed to obtain metadata
at io.grpc.Status.asRuntimeException(Status.java:533)
... 14 more
Caused by: java.io.IOException: Error getting access token for service account: 400 Bad Request
POST https://oauth2.googleapis.com/token
{"error":"invalid_grant","error_description":"Invalid JWT Signature."}
at com.google.auth.oauth2.ServiceAccountCredentials.refreshAccessToken(ServiceAccountCredentials.java:444)
at com.google.auth.oauth2.OAuth2Credentials.refresh(OAuth2Credentials.java:157)
at com.google.auth.oauth2.OAuth2Credentials.getRequestMetadata(OAuth2Credentials.java:145)
at com.google.auth.oauth2.ServiceAccountCredentials.getRequestMetadata(ServiceAccountCredentials.java:603)
at com.google.auth.Credentials.blockingGetToCallback(Credentials.java:112)
at com.google.auth.Credentials$1.run(Credentials.java:98)
... 7 more
Caused by: com.google.api.client.http.HttpResponseException: 400 Bad Request
POST https://oauth2.googleapis.com/token
{"error":"invalid_grant","error_description":"Invalid JWT Signature."}
at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1113)
at com.google.auth.oauth2.ServiceAccountCredentials.refreshAccessToken(ServiceAccountCredentials.java:441)
... 12 more回答 1
Stack Overflow用户
发布于 2020-10-07 17:45:23
Java应该注意到,身份验证过程执行时没有错误,创建服务对象也是如此(参见下面的
代码示例)。当我试图执行任何数据访问操作(例如下面示例中的listSecrets方法)时,会引发错误。
我认为您是说GoogleCredentials和SecretManagerServiceClient对象的实例化不会引发任何异常。但是,在调用客户端对象(如listServices )上的方法之前,它们实际上不会验证您的凭据。(如果我误解了,请告诉我,SecretManagerServiceClient上的一些方法确实正确地验证并成功了)。
您的服务帐户JSON密钥似乎存在一些问题,因此我首先确定它是否与Java代码分开工作。您可以按照https://cloud.google.com/service-usage/docs/getting-started#test的说明使用oauth2l从您的服务帐户获取承载令牌,然后通过curl直接使用这个承载令牌调用秘密管理器API,如https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets所示。类似于:
curl "https://secretmanager.googleapis.com/v1/projects/project-id/secrets?secretId=secret-id" \
--request "POST" \
--header "authorization: Bearer <bearer token from oauth2l>" \
--header "content-type: application/json" \
--header "x-goog-user-project: project-id" \
--data "{\"replication\": {\"automatic\": {}}}"如果这样做有效,而Java代码不起作用,那么您可能希望继续在https://github.com/googleapis/java-secretmanager存储库中提交一个问题。
或者,以上所述:创建一个新的服务帐户并查看它是否有效可能会更快,而不是调试当前帐户的错误所在。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/64135594
复制相关文章
相似问题
腾讯云开发者
