[英]GCP - Can't use Google Secret Manager (@google-cloud/secret-manager) inside Cloud Run
I've been using the @google-cloud/secret-manager plugin inside my Node application, previously hosted on Google App Engine.我一直在我的 Node 应用程序中使用 @google-cloud/secret-manager 插件,以前托管在 Google App Engine 上。
It was working perfectly fine until I moved my code to Cloud Run.在我将代码移至 Cloud Run 之前,它一直运行良好。 I am now getting the following error: error:
我现在收到以下错误:错误:
Error: 500 undefined: Getting metadata from plugin failed with error: Could not refresh access token: Unsuccessful response status code.
错误:500 未定义:从插件获取元数据失败并出现错误:无法刷新访问令牌:响应状态代码不成功。
Here is an example of my code:这是我的代码示例:
import { SecretManagerServiceClient } from '@google-cloud/secret-manager';
const SECRET = {
FOO_KEY: 'foo_key',
BAR_KEY: 'bar_key',
};
const buildSecretName = keyName => {
const project = process.env.PROJECT_ID;
return `projects/${project}/secrets/${keyName}/versions/latest`;
};
const accessSecret = async keyName => {
const client = new SecretManagerServiceClient();
const name = buildSecretName(keyName);
const [version] = await client.accessSecretVersion({
name,
});
return version.payload.data.toString('utf8');
};
const accessFooKey = async () => {
const secret = await accessSecret(SECRET.FOO_KEY);
return secret;
};
After debugging, the Exception seems to be thrown when running the accessSecretVersion
function.经过调试,运行
accessSecretVersion
function时似乎抛出了异常。 It looks like the secret-manager
plugin can not retrieve the current service account, is it because I am running my code inside a Docker image?看起来
secret-manager
插件无法检索当前服务帐户,是因为我在 Docker 图像中运行我的代码吗?
Here is the content of my Dockerfile这是我的Dockerfile的内容
FROM node:12
ARG NODE_ENV=production
ENV NODE_ENV ${NODE_ENV}
ARG PROJECT_ID=my-project
ENV PROJECT_ID ${PROJECT_ID}
WORKDIR /usr/src
COPY package.json ./
COPY yarn.lock ./
RUN yarn
COPY . .
RUN yarn api:clean
RUN yarn api:build
EXPOSE 3000
CMD ["yarn", "api:start"]
It is deployed via a trigger build using the following cloudbuild.yaml file它是通过使用以下 cloudbuild.yaml 文件的触发器构建部署的
steps:
- id: build API image
name: gcr.io/cloud-builders/docker
args:
- build
- -t
- eu.gcr.io/${_TARGET_PROJECT_ID}/${_SERVICE_NAME}
- .
- id: publish API image
name: gcr.io/cloud-builders/docker
args:
- push
- eu.gcr.io/${_TARGET_PROJECT_ID}/${_SERVICE_NAME}
- id: deploy
name: gcr.io/google.com/cloudsdktool/cloud-sdk
args:
- gcloud
- run
- deploy
- ${_SERVICE_NAME}
- --image=eu.gcr.io/${_TARGET_PROJECT_ID}/${_SERVICE_NAME}
- --project=${_TARGET_PROJECT_ID}
- --platform=${_RUN_PLATFORM}
- --region=${_REGION}
images:
- eu.gcr.io/${_TARGET_PROJECT_ID}/${_SERVICE_NAME}
timeout: 1200s
For information, my secrets are readable by the Cloud Run
custom service account, they all have the Secret Manager Secret Accessor
access right.有关信息,我的秘密可由
Cloud Run
自定义服务帐户读取,它们都具有Secret Manager Secret Accessor
访问权限。
Thanks a lot for your help!非常感谢你的帮助!
As John Hanley stated, I didn't specify any particular service account while deploying my Docker image.正如 John Hanley 所说,在部署 Docker 映像时,我没有指定任何特定的服务帐户。 The default service account is the Compute Engine account (
xxx-compute@developer.gserviceaccount.com
) which was disabled by my company to prevent security issues.默认服务帐户是 Compute Engine 帐户 (
xxx-compute@developer.gserviceaccount.com
),我的公司已禁用该帐户以防止出现安全问题。
Using a custom service account while running the gcloud run deploy
command solved the problem.在运行
gcloud run deploy
命令时使用自定义服务帐户解决了该问题。 My deploy
step now looks like this:我的
deploy
步骤现在如下所示:
- id: deploy
name: gcr.io/google.com/cloudsdktool/cloud-sdk
args:
- gcloud
- run
- deploy
- ${_SERVICE_NAME}
- --image=eu.gcr.io/${_TARGET_PROJECT_ID}/${_SERVICE_NAME}
- --project=${_TARGET_PROJECT_ID}
- --platform=${_RUN_PLATFORM}
- --region=${_REGION}
- --service-account=custom-service@my-project.iam.gserviceaccount.com
Thank y'all for your help谢谢大家的帮助
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.