Security

如何完全退出 Google Cloud?gcloud auth revoke --all 並沒有削減它

  • December 11, 2020

退出 Google Cloud似乎應該很容易。如果我執行:

$ unset GOOGLE_APPLICATION_CREDENTIALS

$ gcloud auth revoke --all
Revoked credentials:
 - [my account]
$ gcloud auth list

No credentialed accounts.

To login, run:
 $ gcloud auth login `ACCOUNT`

起初看起來我完全退出了gcloud. 但是請注意當我打開 Python shell 時會發生什麼:

>>> from google.cloud import secretmanager_v1beta1 as secretmanager
>>> client = secretmanager.SecretManagerServiceClient()
/Users/my/path/.venv/lib/python3.7/site-packages/google/auth/_default.py:66: UserWarning: Your application has authenticated using end user credentials from Google Cloud SDK. We recommend that most server applications use service accounts instead. If your application continues to use end user credentials from Cloud SDK, you might receive a "quota exceeded" or "API not enabled" error. For more information about service accounts, see https://cloud.google.com/docs/authentication/
 warnings.warn(_CLOUD_SDK_CREDENTIALS_WARNING)
>>> path = client.secret_version_path(project="my-project-name", secret="my-secret", secret_version="latest")
>>> secret = client.access_secret_version(path)
>>> secret.payload.data.decode()
"Oh, no! I should be secret!"

如您所見,即使我跑了gcloud auth revoke --all,我仍然可以使用儲存在某處的使用者憑據通過 Python SDK 訪問 Google Cloud。有沒有辦法在我的筆記型電腦上完全退出 Google Cloud?

編輯:進一步澄清:這台電腦上沒有保存任何 Google Cloud Service 帳戶 JSON 文件,並且我已取消設置GOOGLE_APPLICATION_CREDENTIALS環境變數。

我不確定這是否會對您有所幫助,但我遇到了類似的問題。一旦我使用命令“gcloud auth revoke –all”撤銷了所有憑據,我仍然能夠針對我的環境執行腳本。最後,我在 ~/.config/gcloud/application_default_credentials.json 中找到了應用程序預設憑據文件。重命名/刪除此文件有助於刪除客戶端庫的身份驗證能力。我沒有得到關注

 File "audit_test.py", line 8, in main
   client = resource_manager.Client()
 File "fake_path/python3.7/site-packages/google/cloud/resource_manager/client.py", line 72, in __init__
   super(Client, self).__init__(credentials=credentials, _http=_http)
 File "fake_path/python3.7/site-packages/google/cloud/client.py", line 132, in __init__
   credentials, _ = google.auth.default()
 File "fake_path/python3.7/site-packages/google/auth/_default.py", line 321, in default
   raise exceptions.DefaultCredentialsError(_HELP_MESSAGE)
google.auth.exceptions.DefaultCredentialsError: Could not automatically determine credentials. Please set GOOGLE_APPLICATION_CREDENTIALS or explicitly create credentials and re-run the application. For more information, please see https://cloud.google.com/docs/authentication/getting-started

引用自:https://serverfault.com/questions/1001162