[英]Google Service Account credentials stored in AWS SecretManage
在我的 Aws EC2 實例中,我有一個 python 腳本,它與 Google Bigquery 交互以執行多個操作。
出於安全原因,我不想在我的項目中將服務賬戶私鑰用作文件,因此,我將其存儲在我的 AWS Secrets Manager 中。
在python中,使用boto3很容易得到密鑰:
import boto3
from botocore.exceptions import ClientError
import google.oauth2
def get_secret():
secret_name = "put_key_name_here"
region_name = "put_region_name_here"
session = boto3.session.Session()
client = session.client(service_name='secretsmanager', region_name=region_name)
get_secret_value_response = client.get_secret_value(SecretId = secret_name)
a = json.loads(get_secret_value_response['SecretString'])
return a['credentials'] #HERE I HAVE MY CREDENTIALS STRING
現在我需要使用谷歌客戶端的一種方法。 我不能使用from_service_account_file但只能使用from_service_account_infohttps://googleapis.dev/python/google-auth/1.7.0/user-guide.html
但代碼繼續出錯:
dict_secrets={}
dict_secrets["client_email"]="my_account@myproject.iam.gserviceaccount.com"
dict_secrets["token_uri"]="https://oauth2.googleapis.com/token"
dict_secrets["private_key"] = get_secret() #myfunction to get the private_key
my_project='my_google_bigquery_project'
credential_bq = google.oauth2.service_account.Credentials.from_service_account_info(dict_secrets, scopes=["https://www.googleapis.com/auth/cloud-platform"])
client_bq = bigquery.Client(credentials=credential_bq, project=my_project)
ValueError: No key could be detected.
沒有dict_secrets["private_key"]
我收到了一個不同的錯誤:
ValueError: The private_key field was not found in the service account info
我哪里錯了? 存在另一種方法來進行這些操作嗎? 謝謝!
從文檔
響應語法是:
{
'ARN': 'string',
'Name': 'string',
'VersionId': 'string',
'SecretBinary': b'bytes',
'SecretString': 'string',
'VersionStages': [
'string',
],
'CreatedDate': datetime(2015, 1, 1)
}
所以你需要從響應中取出'SecretString'
-
get_secret_value_response = client.get_secret_value(SecretId = secret_name)
secret_value = get_secret_value_response["SecretString"]
此外,從Google Service Account docs中,下載的密鑰具有以下格式,其中 private-key 是公鑰/私鑰對的私有部分:
{
"type": "service_account",
"project_id": "project-id",
"private_key_id": "key-id",
"private_key": "-----BEGIN PRIVATE KEY-----\nprivate-key\n-----END PRIVATE KEY-----\n",
"client_email": "service-account-email",
"client_id": "client-id",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
}
:
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.