[英]Mutual TLS in Python using Google Cloud KMS
Is there a way to make HTTP requests over mTLS with private keys stored in Google Cloud Key Management Service?有没有办法使用存储在谷歌云密钥管理服务中的私钥通过 mTLS 发出 HTTP 请求?
In this blog post what we need is done in Go. Is it possible to achieve the same in Python?在这篇博文中,我们需要在 Go 中完成。是否可以在 Python 中实现相同的目标? I was hoping that Tink library provides some ready-made solution, but can't find.
我希望 Tink 库提供一些现成的解决方案,但找不到。
After diving into the topic I've made the following "discoveries":在深入探讨该主题后,我做出了以下“发现”:
urlopen
, which would use a custom OpenSSL engine.urlopen
创建 SSL 上下文,这将使用自定义 OpenSSL 引擎。 Here is an example: https://github.com/pyca/pyopenssl/issues/203#issuecomment-454900850So this seems solvable but requires some efforts.所以这似乎是可以解决的,但需要一些努力。
At the same time I finding that Amazon provides ready-made OpenSSL engine for their AWS CloudHSM , so it should be fairly easy to use for mTLS in Python. But CloudHSM prices are quite high (which is understandable due to custom hardware).同时我发现亚马逊为他们的 AWS CloudHSM 提供了现成的 OpenSSL 引擎,所以它应该很容易用于 Python 中的 mTLS。但是 CloudHSM 价格相当高(由于定制硬件,这是可以理解的)。 Also I found this Rust implementation of OpenSSL engine for AWS KMS, which looks great.
我还发现了 AWS KMS 的 OpenSSL 引擎的Rust 实现,看起来很棒。 And perhaps it's also possible to rework it for Google Cloud KMS... But we may end up switching to AWS KMS or CloudHSM.
也许也可以针对 Google Cloud KMS 对其进行返工……但我们最终可能会切换到 AWS KMS 或 CloudHSM。
Although this is not a very complete answer, I hope it will help others facing with the issue.虽然这不是一个非常完整的答案,但我希望它能帮助面临这个问题的其他人。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.