Google Cloud Secrets Manager 拒绝访问 App Engine 应用程序,但可与 Google Cloud Function 一起使用
[英]Google Cloud Secrets Manager denies access to App Engine application but works with Google Cloud Function
问题描述
I'm trying to connect to get a secret from google's secrets manager, and the same code works for Cloud Functions, but not for App Engine.
我正在尝试连接以从 google 的机密管理器获取机密,并且相同的代码适用于 Cloud Functions,但不适用于 App Engine。
const { SecretManagerServiceClient } = require('@google-cloud/secret-manager'); const { SecretManagerServiceClient } = require('@google-cloud/secret-manager');
const secretManagerServiceClient = new SecretManagerServiceClient();
const name = 'projects/000000000000/secrets/database/versions/latest';
exports.testSecretManager = async (req, res) => {
const [version] = await secretManagerServiceClient.accessSecretVersion({ name });
const payload = version.payload.data.toString();
console.debug(`Payload: ${payload}`);
res.sendStatus(200);
};
The same code works fine when I deploy it as a function.当我将它部署为 function 时,相同的代码工作正常。
But when I run the same code as a part of App Engine application.但是当我运行相同的代码作为 App Engine 应用程序的一部分时。 It fails with this error:它失败并出现此错误:
Error: 16 UNAUTHENTICATED: Failed to retrieve auth metadata with error: Could not refresh access token: Unsuccessful response status code. Request failed with status code 500
at Object.callErrorFromStatus (/workspace/node_modules/@grpc/grpc-js/build/src/call.js:31:26)
at Object.onReceiveStatus (/workspace/node_modules/@grpc/grpc-js/build/src/client.js:180:52)
at Object.onReceiveStatus (/workspace/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:365:141)
at Object.onReceiveStatus (/workspace/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:328:181)
at /workspace/node_modules/@grpc/grpc-js/build/src/call-stream.js:182:78
at processTicksAndRejections (node:internal/process/task_queues:78:11)
I believe both Cloud Functions and App Engine are managed by the same service account “App Engine default service account”.我相信 Cloud Functions 和 App Engine 都由同一个服务帐户“App Engine 默认服务帐户”管理。 And it has rights.它有权利。
It seems like GOOGLE_APPLICATION_CREDENTIALS is missing from the environment.环境中似乎缺少GOOGLE_APPLICATION_CREDENTIALS 。
console.log(process.env.GOOGLE_APPLICATION_CREDENTIALS); gives me undefined.给我不确定。 Can this be a reason?这能成为理由吗? How do I pass this environment to app engine then?那么我该如何将这个环境传递给应用引擎呢?
How can I deeper debug this?我怎样才能更深入地调试这个?
2 个解决方案
解决方案1
0 2022-02-18 13:35:22
Make sure that Secret Manager Secret Accessor role is granted to the Service Account from IAM for the App Engine.确保从 IAM 为 App Engine 的服务账户授予Secret Manager Secret Accessor角色。 The exact role you would need to add is: roles/secretmanager.secretAccessor.您需要添加的确切角色是:roles/secretmanager.secretAccessor。 You may refer here for more details.您可以参考这里了解更多详情。
Also, have a look at this Stackoverflow case .另外,看看这个Stackoverflow 案例。
解决方案2
0 2022-08-29 15:03:54
The Google Cloud documentation notes:谷歌云文档说明:
To use Secret Manager with workloads running on App Engine, you must grant any required permissions to the App Engine service.
I can verify that it worked correctly in my case (although I did have to specify the correct app ID in my secret request, and enable the Secret Accessor role for the service account in the IAM console .)我可以验证它在我的情况下是否正常工作(尽管我确实必须在我的秘密请求中指定正确的应用程序 ID,并在IAM 控制台中为服务帐户启用秘密访问者角色。)
解决方案3
-1 2022-03-10 14:30:32
Please find here a beautifully written answer.请在这里找到一个写得很漂亮的答案。
And, also the official Google documentation which doesn't list GAE as a directly supported product, however, GCE/GKE are supported out of the box, if that's an option for you.而且,官方的 Google 文档也没有将 GAE 列为直接支持的产品,但是,如果您愿意,GCE/GKE 是开箱即用的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.