[英]Google Cloud Secrets Manager denies access to App Engine application but works with Google Cloud Function
I'm trying to connect to get a secret from google's secrets manager, and the same code works for Cloud Functions, but not for App Engine.我正在尝试连接以从 google 的机密管理器获取机密,并且相同的代码适用于 Cloud Functions,但不适用于 App Engine。
const { SecretManagerServiceClient } = require('@google-cloud/secret-manager'); const { SecretManagerServiceClient } = require('@google-cloud/secret-manager');
const secretManagerServiceClient = new SecretManagerServiceClient();
const name = 'projects/000000000000/secrets/database/versions/latest';
exports.testSecretManager = async (req, res) => {
const [version] = await secretManagerServiceClient.accessSecretVersion({ name });
const payload = version.payload.data.toString();
console.debug(`Payload: ${payload}`);
res.sendStatus(200);
};
The same code works fine when I deploy it as a function.当我将它部署为 function 时,相同的代码工作正常。
But when I run the same code as a part of App Engine application.但是当我运行相同的代码作为 App Engine 应用程序的一部分时。 It fails with this error:
它失败并出现此错误:
Error: 16 UNAUTHENTICATED: Failed to retrieve auth metadata with error: Could not refresh access token: Unsuccessful response status code. Request failed with status code 500
at Object.callErrorFromStatus (/workspace/node_modules/@grpc/grpc-js/build/src/call.js:31:26)
at Object.onReceiveStatus (/workspace/node_modules/@grpc/grpc-js/build/src/client.js:180:52)
at Object.onReceiveStatus (/workspace/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:365:141)
at Object.onReceiveStatus (/workspace/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:328:181)
at /workspace/node_modules/@grpc/grpc-js/build/src/call-stream.js:182:78
at processTicksAndRejections (node:internal/process/task_queues:78:11)
I believe both Cloud Functions and App Engine are managed by the same service account “App Engine default service account”.我相信 Cloud Functions 和 App Engine 都由同一个服务帐户“App Engine 默认服务帐户”管理。 And it has rights.
它有权利。
It seems like GOOGLE_APPLICATION_CREDENTIALS
is missing from the environment.环境中似乎缺少
GOOGLE_APPLICATION_CREDENTIALS
。
console.log(process.env.GOOGLE_APPLICATION_CREDENTIALS);
gives me undefined.给我不确定。 Can this be a reason?
这能成为理由吗? How do I pass this environment to app engine then?
那么我该如何将这个环境传递给应用引擎呢?
How can I deeper debug this?我怎样才能更深入地调试这个?
Make sure that Secret Manager Secret Accessor
role is granted to the Service Account from IAM for the App Engine.确保从 IAM 为 App Engine 的服务账户授予
Secret Manager Secret Accessor
角色。 The exact role you would need to add is: roles/secretmanager.secretAccessor.您需要添加的确切角色是:roles/secretmanager.secretAccessor。 You may refer here for more details.
您可以参考这里了解更多详情。
Also, have a look at this Stackoverflow case .另外,看看这个Stackoverflow 案例。
The Google Cloud documentation notes:谷歌云文档说明:
To use Secret Manager with workloads running on App Engine, you must grant any required permissions to the App Engine service.
要将 Secret Manager 与在 App Engine 上运行的工作负载一起使用,您必须向 App Engine 服务授予任何所需的权限。
I can verify that it worked correctly in my case (although I did have to specify the correct app ID in my secret request, and enable the Secret Accessor role for the service account in the IAM console .)我可以验证它在我的情况下是否正常工作(尽管我确实必须在我的秘密请求中指定正确的应用程序 ID,并在IAM 控制台中为服务帐户启用秘密访问者角色。)
Please find here a beautifully written answer.请在这里找到一个写得很漂亮的答案。
And, also the official Google documentation which doesn't list GAE as a directly supported product, however, GCE/GKE are supported out of the box, if that's an option for you.而且,官方的 Google 文档也没有将 GAE 列为直接支持的产品,但是,如果您愿意,GCE/GKE 是开箱即用的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.