Vertex AI Pipeline 的 Secret Manager
[英]Secret Manager from Vertex AI Pipeline
问题描述
I am working in GCP creating a Vertex AI pipeline with kubeflow and it is time for me to store my API keys more securely.
我正在 GCP 中使用 kubeflow 创建 Vertex AI 管道,现在是时候更安全地存储我的 API 密钥了。 I am very new to GCP and unfamiliar with the environment so I've been trying to follow a few tutorials but have hit a roadblock.我对 GCP 很陌生,对环境不熟悉,所以我一直在尝试学习一些教程,但遇到了障碍。 I want to store my secrets in Secret Manager and then later access them from the pipeline I've written.我想将我的秘密存储在 Secret Manager 中,然后从我编写的管道中访问它们。 I have no problem creating secrets and viewing them in the GUI but when it comes to compiling my pipeline i get the error: google.api_core.exceptions.PermissionDenied: 403 Permission denied on resource project...我创建秘密并在 GUI 中查看它们没有问题,但是在编译我的管道时我收到错误: google.api_core.exceptions.PermissionDenied: 403 Permission denied on resource project...
So it seems that the account running my pipelines does not have access to the secrets I have created.因此,运行我的管道的帐户似乎无权访问我创建的秘密。 My question is then, how do I check which account is running the pipeline so I can grant it access?那么我的问题是,如何检查哪个帐户正在运行管道以便我可以授予它访问权限? Or is there really another underlying problem here?或者这里真的有另一个潜在的问题吗?
Code trying to access the secret:试图访问秘密的代码:
client = secretmanager.SecretManagerServiceClient()
secret_name = "secret_name"
request = {'name': f"path/{secret_name}/versions/latest"}
response = client.access_secret_version(request)
secret_string = response.payload.data.decode("UTF-8")
EDIT: I can add that I have been playing around a lot with account permissions but my best guess is that the account that is found under Vertex AI>Workbench>the notebook I am using's notebook details>Service account is the one that needs permission.编辑:我可以补充一点,我一直在使用帐户权限,但我最好的猜测是在 Vertex AI>Workbench>我正在使用的笔记本的笔记本详细信息>服务帐户下找到的帐户是需要权限的帐户。 Is this not it?这不是吗?
3 个解决方案
解决方案1
0 2022-03-16 18:34:44
Running the command gcloud auth list might help you to determine the account you are using.运行命令gcloud auth list可能会帮助您确定您正在使用的帐户。 Additionally, you can troubleshoot the accounts that you have created in the project and see the roles that the accounts have by following this documentation .此外,您可以对在项目中创建的帐户进行故障排除,并按照此文档查看帐户所具有的角色。
To access secrets with Secret Manager using a pipeline, you need to grant the service account that runs the pipeline with secret manager permission.要使用管道通过 Secret Manager 访问机密,您需要向运行管道的服务帐户授予 Secret Manager 权限。 You can see how to configure a service account with granular permissions section of Configure your Google Cloud project for Vertex AI pipelines .您可以在为 Vertex AI 管道配置 Google Cloud 项目的部分查看如何配置具有精细权限的服务帐号。
After setting the secret manager permissions on the service account that is running the pipeline you can access the Secrets.在运行管道的服务帐户上设置机密管理员权限后,您可以访问机密。
Additionally, you can check this documentation to see how to access secrets with a kubeflow pipeline.此外,您可以查看此文档以了解如何使用 kubeflow 管道访问机密。
解决方案2
0 2022-06-04 02:36:39
Possible Cause可能的原因
The error google.api_core.exceptions.PermissionDenied: 403 Permission denied in Vertex Pipeline components is typically because you did not specify the project to the GCP client library instance.错误google.api_core.exceptions.PermissionDenied: 403 Permission denied in Vertex Pipeline components 通常是因为您没有将项目指定给 GCP 客户端库实例。
client = secretmanager.SecretManagerServiceClient() # <---- NO project specified
It is explained in Access Google Cloud services in your code . 在您的代码中访问 Google Cloud 服务中对此进行了说明。
This problem occurs because Vertex AI does not run your code directly in your Google Cloud project.
Because you did not specify the project ID to the SecretManagerServiceClient , it tried to connect to the Secret Manager service of the Vertex AI project managed by Google, which will not allow you to access it, of course.因为你没有给SecretManagerServiceClient指定项目 ID,所以它试图连接到谷歌管理的 Vertex AI 项目的 Secret Manager 服务,这当然不允许你访问它。
Fix使固定
As per the example in Access Google Cloud services in your code , specify YOUR project ID to the project parameter when instantiating a GCP service client.根据在您的代码中访问 Google Cloud 服务中的示例,在实例化 GCP 服务客户端时将您的项目 ID 指定给project参数。
import os
from google.cloud import bigquery
project_number = os.environ["CLOUD_ML_PROJECT_ID"]
client = bigquery.Client(project=project_number)
解决方案3
0 2022-09-13 07:22:56
In my case, the problem was that I was not using a custom service account, as according to this page :就我而言,问题是我没有使用自定义服务帐户,如本页所述:
Note: If you want your custom training code to obtain an OAuth 2.0 access token with the https://www.googleapis.com/auth/cloud-platform scope, then you must use a custom service account for training.
As the secret manager client requires the aforementioned access token, you will need to create your own custom service account first.由于 Secret Manager 客户端需要上述访问令牌,因此您需要先创建自己的自定义服务帐户。 After you create one (with proper permission attached, namely, Secret Manager Secret Accessor ), you can attach the service account to the job that needs it.创建一个(附加了适当的权限,即Secret Manager Secret Accessor )后,您可以将服务帐户附加到需要它的作业。
@component(
packages_to_install=['google-cloud-secret-manager']
)
def print_secret_op(project_id: str, secret_id: str, version_id: str) -> str:
from google.cloud import secretmanager
secret_client = secretmanager.SecretManagerServiceClient()
secret_name = f'projects/{project_id}/secrets/{secret_id}/versions/{version_id}'
response = secret_client.access_secret_version(request={"name": secret_name})
payload = response.payload.data.decode("UTF-8")
answer = "The secret is: {}".format(payload)
print(answer)
return answer
print_secret_job = create_custom_training_job_from_component(
print_secret_op,
service_account="your-service-account-email",
)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.