如何完全登出 Google Cloud? `gcloud auth revoke --all` 並不能解決問題

tag-icon tag-icon security google-cloud-platform gcloud
如何完全登出 Google Cloud? `gcloud auth revoke --all` 並不能解決問題

退出 Google Cloud似乎就像它應該很容易一樣。如果我運行:

$ unset GOOGLE_APPLICATION_CREDENTIALS

$ gcloud auth revoke --all
Revoked credentials:
  - [my account]
$ gcloud auth list

No credentialed accounts.

To login, run:
  $ gcloud auth login `ACCOUNT`

起初它看起來就像我完全退出一樣gcloud。但是看看當我打開 Python shell 時會發生什麼:

>>> from google.cloud import secretmanager_v1beta1 as secretmanager
>>> client = secretmanager.SecretManagerServiceClient()
/Users/my/path/.venv/lib/python3.7/site-packages/google/auth/_default.py:66: UserWarning: Your application has authenticated using end user credentials from Google Cloud SDK. We recommend that most server applications use service accounts instead. If your application continues to use end user credentials from Cloud SDK, you might receive a "quota exceeded" or "API not enabled" error. For more information about service accounts, see https://cloud.google.com/docs/authentication/
  warnings.warn(_CLOUD_SDK_CREDENTIALS_WARNING)
>>> path = client.secret_version_path(project="my-project-name", secret="my-secret", secret_version="latest")
>>> secret = client.access_secret_version(path)
>>> secret.payload.data.decode()
"Oh, no! I should be secret!"

正如您所看到的,即使我運行了,gcloud auth revoke --all我仍然可以使用儲存在某處的使用者憑證透過 Python SDK 存取 Google Cloud。有沒有辦法完全地在我的筆記型電腦上登出 Google Cloud?

編輯:進一步澄清:這台電腦上沒有保存任何 Google Cloud Service 帳戶 JSON 文件,並且我已取消設定GOOGLE_APPLICATION_CREDENTIALS環境變數。

答案1

我不確定這是否會對您有任何幫助,但我遇到了類似的問題。使用該命令撤銷所有憑證後,gcloud auth revoke --all我仍然可以針對我的環境執行腳本。最後,我發現應用程式預設憑證檔案位於〜/.config/gcloud/application_default_credentials.json。重新命名或刪除此檔案有助於完全撤銷憑證。現在客戶端庫無法存取環境:

  File "audit_test.py", line 8, in main
    client = resource_manager.Client()
  File "fake_path/python3.7/site-packages/google/cloud/resource_manager/client.py", line 72, in __init__
    super(Client, self).__init__(credentials=credentials, _http=_http)
  File "fake_path/python3.7/site-packages/google/cloud/client.py", line 132, in __init__
    credentials, _ = google.auth.default()
  File "fake_path/python3.7/site-packages/google/auth/_default.py", line 321, in default
    raise exceptions.DefaultCredentialsError(_HELP_MESSAGE)
google.auth.exceptions.DefaultCredentialsError: Could not automatically determine credentials. Please set GOOGLE_APPLICATION_CREDENTIALS or explicitly create credentials and re-run the application. For more information, please see https://cloud.google.com/docs/authentication/getting-started

答案2

正如上面評論的阿姜查爾斯gcloud auth application-default revoke有效。只需點擊命令,它就會刪除application-default信用。看到不同這裡。我遇到了同樣的問題,只有這個有效。

編輯:

請記住,您仍然需要調用gcloud auth revoke --allasgcloud auth application-default revoke僅刪除應用程式預設信用。

相關內容