in my Aws EC2 instance, I've a python script that interacts with Google Bigquery to perform several operations.
For security reasons, I don't want to use the service account private key as a file in my project, so, I stored it in my AWS Secrets Manager.
In python, it's easy to get the key using boto3:
import boto3
from botocore.exceptions import ClientError
import google.oauth2
def get_secret():
secret_name = "put_key_name_here"
region_name = "put_region_name_here"
session = boto3.session.Session()
client = session.client(service_name='secretsmanager', region_name=region_name)
get_secret_value_response = client.get_secret_value(SecretId = secret_name)
a = json.loads(get_secret_value_response['SecretString'])
return a['credentials'] #HERE I HAVE MY CREDENTIALS STRING
now I need to use one of the methods of the Google client. I can't use from_service_account_file but only from_service_account_infohttps://googleapis.dev/python/google-auth/1.7.0/user-guide.html
but the code goes on error:
dict_secrets={}
dict_secrets["client_email"]="my_account@myproject.iam.gserviceaccount.com"
dict_secrets["token_uri"]="https://oauth2.googleapis.com/token"
dict_secrets["private_key"] = get_secret() #myfunction to get the private_key
my_project='my_google_bigquery_project'
credential_bq = google.oauth2.service_account.Credentials.from_service_account_info(dict_secrets, scopes=["https://www.googleapis.com/auth/cloud-platform"])
client_bq = bigquery.Client(credentials=credential_bq, project=my_project)
ValueError: No key could be detected.
without dict_secrets["private_key"]
I received a differ error:
ValueError: The private_key field was not found in the service account info
Where I am wrong? Exist another way to do these operations? thanks!
From the docs
The response syntax is:
{
'ARN': 'string',
'Name': 'string',
'VersionId': 'string',
'SecretBinary': b'bytes',
'SecretString': 'string',
'VersionStages': [
'string',
],
'CreatedDate': datetime(2015, 1, 1)
}
So you need so pull out the 'SecretString'
from the response -
get_secret_value_response = client.get_secret_value(SecretId = secret_name)
secret_value = get_secret_value_response["SecretString"]
Also, from the Google Service Account docs , the downloaded key has the following format, where private-key is the private portion of the public/private key pair:
{
"type": "service_account",
"project_id": "project-id",
"private_key_id": "key-id",
"private_key": "-----BEGIN PRIVATE KEY-----\nprivate-key\n-----END PRIVATE KEY-----\n",
"client_email": "service-account-email",
"client_id": "client-id",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
}
:
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.