在Node.js中使用非默认凭据进行身份验证的GCP秘密管理器客户端。

huangapple go评论59阅读模式
英文:

Authenticating with non-default credentials in node.js GCP Secret Manager client

问题

I am trying to to use the @google-cloud/secret-manager package to read secrets from inside an application, and I want it to authenticate with a specific service account, not the default credentials. I can't find any documentation anywhere on how to do this.

我正在尝试使用 @google-cloud/secret-manager 包从应用程序内部读取秘密,并希望使用特定的服务账号进行身份验证,而不是默认凭据。我无法在任何地方找到如何做到这一点的文档。

import { SecretManagerServiceClient } from '@google-cloud/secret-manager';

const smClient = new SecretManagerServiceClient();

There are no options anywhere in the docs to provide authentication parameters. I'm trying to even use the google-auth-library to authenticate with my service account, but I'm not sure how to even pass that to the secret-manager request.

文档中没有任何选项来提供身份验证参数。我甚至尝试使用 google-auth-library 来使用我的服务账号进行身份验证,但我甚至不确定如何将其传递给 secret-manager 请求。

import { JWT } from 'google-auth-library';

const keyFile = JSON.parse(
    fs.readFileSync(path.resolve(__dirname, '../service-account.json'))
)

const authClient = new JWT({
    email: keyFile.client_email,
    key: keyFile.private_key,
    scopes: ['https://www.googleapis.com/auth/cloud-platform'],
});
英文:

I am trying to to use the @google-cloud/secret-manager package to read secrets from inside an application, and I want it to authenticate with a specific service account, not the default credentials. I can't find any documentation anywhere on how to do this.

import { SecretManagerServiceClient } from '@google-cloud/secret-manager';

const smClient = new SecretManagerServiceClient();

There are no options anywhere in the docs to provide authentication parameters. I'm trying to even use the google-auth-library to authenticate with my service account, but I'm not sure how to even pass that to the secret-manager request.

import { JWT } from 'google-auth-library';

const keyFile = JSON.parse(
    fs.readFileSync(path.resolve(__dirname, '../service-account.json'))
)

const authClient = new JWT({
	email: keyFile.client_email,
	key: keyFile.private_key,
	scopes: ['https://www.googleapis.com/auth/cloud-platform'],
});

答案1

得分: 0

Google Cloud客户端库使用名为Application Default Credentials (ADC) 的库来自动查找您的服务帐户凭据。 ADC按以下顺序查找服务帐户凭据:

  • 如果环境变量GOOGLE_APPLICATION_CREDENTIALS已设置,ADC将使用该变量指向的服务帐户密钥或配置文件。

  • 如果未设置,ADC将使用附加到运行代码的资源的服务帐户。

  • 如果ADC无法使用上述任何凭据,则会发生错误。

建议的步骤是创建一个服务帐户并相应地设置环境变量。此外,文档中还提供了一些常见用例的示例以及有关如何访问密钥的简要信息。

希望上述信息对您有帮助。

英文:

Google Cloud Client Libraries use a library called Application Default Credentials (ADC) to automatically find your service account credentials. ADC looks for service account credentials in the following order:

  • If the environment variable GOOGLE_APPLICATION_CREDENTIALS is set, ADC uses the service account key or configuration file that the variable points to.

  • If it isn't set, ADC uses the service account that is attached to the resource that is running your code.

  • If ADC can't use any of the above credentials, an error occurs.

The recommended steps would be to create a service account and set an environment variable accordingly. Also ,there are few examples for common use cases and a brief information in the same document about how to access a secret.

Hope the above information is useful to you.

答案2

得分: 0

If your runtime environment has a built-in credential (because you are on Google Cloud or you use Workload Identity federation), you are going to the wrong way.

Service account key file (the json file) is insecure and I strong recommend to use it in only very specific cases.

But I understand the requirement to access a secret with another identity/credential. For that, something exist and it's named "impersonation."

The principle is to allow your current default credential generating a token (access or identity) on behalf another service account. For that, the current credential requires the role "Service Account Token Creator" to be able to generate that token.

I'm not a node.js developer, but I found that and that piece of code


  let targetClient = new Impersonated({
    sourceClient: <SourceCredential>,
    targetPrincipal: "impersonated-account@fabled-ray-104117.iam.gserviceaccount.com",
    lifetime: 30,
    delegates: [],
    targetScopes: ["https://www.googleapis.com/auth/cloud-platform"]
  });
英文:

If your runtime environment has a built-in credential (because you are on Google Cloud or you use Workload Identity federation), you are going to the wrong way.

Service account key file (the json file) is insecure and I strong recommend to use it in only very specific cases.

But I understand the requirement to access a secret with another identity/credential. For that, something exist and it's named "impersonation".

The principle is to allow your current default credential generating a token (access or identity) on behalf another service account. For that, the current credential requires the role "Service Account Token Creator" to be able to generate that token.

I'm not a node.js developer, but I fount that and that piece of code


  let targetClient = new Impersonated({
    sourceClient: &lt;SourceCredential&gt;,
    targetPrincipal: &quot;impersonated-account@fabled-ray-104117.iam.gserviceaccount.com&quot;,
    lifetime: 30,
    delegates: [],
    targetScopes: [&quot;https://www.googleapis.com/auth/cloud-platform&quot;]
  });

huangapple
  • 本文由 发表于 2023年5月11日 10:08:00
  • 转载请务必保留本文链接:https://go.coder-hub.com/76223675.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定