如何将带有秘密管理器的谷歌应用引擎连接到 Postgres?
[英]How to connect google app engine with secret manager to Postgres?
问题描述
I'm trying to connect from a nodejs/typescript codebase running in GAE to a GCP managed Postgres db via secret manager.
我正在尝试通过秘密管理器从运行在 GAE 中的 nodejs/typescript 代码库连接到 GCP 管理的 Postgres 数据库。
I'm getting:我越来越:
Error: 7 PERMISSION_DENIED: Permission denied on resource project DATABASE_USER.
when I run it in GAE.当我在 GAE 中运行它时。
1 个解决方案
解决方案1
0 2021-12-21 12:59:22
First, make sure you've granted Secrets Access to the GAE service account in IAM.首先,确保您已授予对 IAM 中的 GAE 服务帐户的 Secrets 访问权限。
Then use the following code example to get your ENV vars from secret manager.然后使用以下代码示例从秘密管理器获取您的 ENV 变量。
import * as path from 'path';
import {SecretManagerServiceClient} from '@google-cloud/secret-manager';
import deasync from 'deasync';
require('dotenv').config();
const SnakeNamingStrategy =
require('typeorm-naming-strategies').SnakeNamingStrategy;
const googleProjectId = process.env.GOOGLE_CLOUD_PROJECT;
const isInGAE = googleProjectId !== undefined;
const isLocalUsingCloudProxy = process.env.USE_CLOUD_SQL_AUTH_PROXY !== undefined;
const getSecretSync = deasync((name: string, cb:any) => {
const c = new SecretManagerServiceClient();
c.accessSecretVersion({name: c.secretVersionPath(googleProjectId, name, "latest")}).then(([secret]) => {
cb(null, secret.payload.data.toString());
}).catch((err) => {
cb(err);
});
});
let config = {
type: 'postgres',
host: process.env.DATABASE_HOST || 'localhost',
port: parseInt(process.env.DATABASE_PORT, 10) || 5432,
username: process.env.DATABASE_USER,
password: process.env.DATABASE_PASSWORD,
database: process.env.DATABASE_NAME,
synchronize: false,
logging: false,
subscribers: [path.join(__dirname, '..', 'subscribers', '*.{ts,js}')],
entities: [path.join(__dirname, '..', 'models', '*.{ts,js}')],
migrations: [path.join(__dirname, '..', 'migrations', '*.{ts,js}')],
cli: {
entitiesDir: [path.join(__dirname, '..', 'models', '*.{ts,js}')],
migrationsDir: [path.join(__dirname, '..', 'migrations', '*.{ts,js}')],
},
namingStrategy: new SnakeNamingStrategy(),
};
if (isInGAE || isLocalUsingCloudProxy) {
config.username = getSecretSync("DATABASE_USER");
config.password = getSecretSync("DATABASE_PASSWORD");
config.database = getSecretSync("DATABASE_NAME");
config.host = isInGAE ? "/cloudsql/" + getSecretSync("DATABASE_HOST") : 'localhost';
config.port = isInGAE ? parseInt(getSecretSync("DATABASE_PORT"), 10) : 5432;
console.log("dbuser", config.username);
}
It's important to note that the DATABASE_HOST should be in the form of the "Connection Name" on the SQL tab, like project-id:us-central1:db-name请务必注意,DATABASE_HOST 应采用 SQL 选项卡上的“连接名称”形式,例如project-id:us-central1:db-name
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.