Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kubernetes python client unable to refresh access token #386

Closed
kevinmu opened this issue Nov 10, 2017 · 2 comments
Closed

Kubernetes python client unable to refresh access token #386

kevinmu opened this issue Nov 10, 2017 · 2 comments

Comments

@kevinmu
Copy link

kevinmu commented Nov 10, 2017

I'm running a script that calls into kubernetes via the python client. However, it appears unable to get the correct credentials. I /can/ use the kubectl command-line interface, which I've noticed populates my .kube/config file with an access-token and an expiry whenever I make a command (e.g., kubectl get pods). As long as that token has not expired, my python script runs fine. However, once that token expires it doesn't seem to be able to refresh it, instead failing and telling me to set GOOGLE_APPLICATION_CREDENTIALS.

Of course, when I created a service-account with a keyfile and pointed GOOGLE_APPLICATION_CREDENTIALS to that keyfile, it gave me the following error:

RefreshError: ('invalid_scope: Empty or missing scope not allowed.', u'{\n  "error" : "invalid_scope",\n  "error_description" : "Empty or missing scope not allowed."\n}')

Although from the code it seems like you can provide scopes to credentials, I am trying to create a Kubernetes client via kubernetes.config.kube_config.new_client_from_config, which seems to create credentials without scopes.

Is there something wrong with my understanding of this client? Appreciate any help with this!

I am using the 3.0.0 release of the kubernetes python library. In case it is helpful, here is my .kube/config:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: <CERTIFICATE_DATA>
    server: <IP_ADDRESS>
  name: <cluster_name>
contexts:
- context:
    cluster: <cluster_name>
    user: <cluster_name>
    name:  <cluster_name>
users:
- name: <cluster_name>
  user:
    auth-provider:
      config:
        access-token: <SOME_ACCESS_TOKEN>
        cmd-args: config config-helper --format=json
        cmd-path: /usr/lib/google-cloud-sdk/bin/gcloud
        expiry: 2017-11-10T03:20:19Z
        expiry-key: '{.credential.token_expiry}'
        token-key: '{.credential.access_token}'
      name: gcp
@mbohlool
Copy link
Contributor

looks like the issue in #233. Are you using latest client? e.g. 4.0.0b1?

@kevinmu
Copy link
Author

kevinmu commented Nov 13, 2017

I was using 3.0.0, but the issue still occurs after upgrading to 4.0.0b1.

@kevinmu kevinmu mentioned this issue Nov 15, 2017
Closed
@jdartigalongue jdartigalongue mentioned this issue Jan 1, 2018
Merged
@jdartigalongue jdartigalongue mentioned this issue Jan 16, 2018
Merged
@srinivasreddych srinivasreddych mentioned this issue Oct 11, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mbohlool @kevinmu