提供来自Google Cloud Storage的Google客户服务帐户的keyFilename [英] Providing keyFilename of Google Client Service Account from Google Cloud Storage

问题描述

要连接到与Google Cloud Function不同的GCP项目中存在的Google Cloud BigQuery，我将按以下方式创建BigQuery客户端:

  const {BigQuery} = require('@ google-cloud/bigquery');const options = {keyFilename:"path/to/service_account.json"，projectId:"my_project"，};const bigquery = new BigQuery(options); 

但是，我不想将service_account.json存储在我的Cloud Function中，而是希望将Service Account存储在Google Cloud Storage中，并在上面的keyFilename中提供Google Cloud Storage路径.如果可以提供Google云存储路径而不是本地路径，我找不到任何文档.

解决方案

您无法提供Google Cloud Storage路径.假设您具有正确的权限来部署功能以从存储桶访问Blob(key.json文件)，则可以将文件从Google Cloud Storage下载到Cloud Function的 \ tmp 目录中./p>

下载对象

  const {Storage} = require('@ google-cloud/storage');const {BigQuery} = require('@ google-cloud/bigquery');//创建一个客户端const storage = new Storage();异步功能downloadFile(){const options = {//文件应下载到的路径，例如"./file.txt"目的地:\ tmp \ key.json，};//下载文件等待存储.bucket(bucketName).file(srcFilename).download(options);console.log(将gs://$ {bucketName}/$ {srcFilename}下载到$ {destFilename}.);}downloadFile().catch(console.error);const options = {keyFilename:'/tmp/key.json'，projectId:"my_project"，};const bigquery = new BigQuery(options); 

更好的解决方案是将 key.json 文件与创建机密和版本

 /*** TODO(developer):在运行示例之前取消注释这些变量.*///const name ='projects/my-project/secrets/my-secret/versions/5';//const name ='projects/my-project/secrets/my-secret/versions/latest';//导入Secret Manager库const {SecretManagerServiceClient} = require('@ google-cloud/secret-manager');//实例化客户端const client = new SecretManagerServiceClient();异步功能accessSecretVersion(){const [version] =等待client.accessSecretVersion({名称:名称，});//将有效负载提取为字符串.const有效负载= version.payload.data.toString('utf8');//警告:请勿在生产环境中打印机密-此//片段显示了如何访问机密材料.console.info(`Payload:$ {payload}`);}accessSecretVersion(); 

To connect to Google Cloud BigQuery that exists in a different GCP project from a Google Cloud Function, I am creating the BigQuery Client as follows:

const {BigQuery} = require('@google-cloud/bigquery');
const options = {
    keyFilename: 'path/to/service_account.json',
    projectId: 'my_project',
  };
const bigquery = new BigQuery(options);

But instead of storing the service_account.json in my Cloud Function, I want to store the Service Account in Google Cloud Storage and provide the Google Cloud Storage path in the keyFilename above. I couldn't find any documentation if it is possible to provide a google cloud storage path instead of a local path.

解决方案

You can not provide the Google Cloud Storage Path. Assuming you deployed your function with the right permissions to access the blob (key.json file) from your bucket, then you can download your file from Google Cloud Storage to \tmp directory of your Cloud Function.

Downloading objects

const {Storage} = require('@google-cloud/storage');
const {BigQuery} = require('@google-cloud/bigquery');

// Creates a client
const storage = new Storage();

async function downloadFile() {
  const options = {
    // The path to which the file should be downloaded, e.g. "./file.txt"
    destination: \tmp\key.json,
  };

  // Downloads the file
  await storage
    .bucket(bucketName)
    .file(srcFilename)
    .download(options);

  console.log(
    `gs://${bucketName}/${srcFilename} downloaded to ${destFilename}.`
  );
}

downloadFile().catch(console.error);

const options = {
    keyFilename: '/tmp/key.json',
    projectId: 'my_project',
  };

const bigquery = new BigQuery(options);

A better solution would be to store the key.json file with Google Secret Manager. Then assign to your cloud function the role secretmanager.secretAccessor and access the secret from you cloud function.

Creating secrets and versions

/**
 * TODO(developer): Uncomment these variables before running the sample.
 */
// const name = 'projects/my-project/secrets/my-secret/versions/5';
// const name = 'projects/my-project/secrets/my-secret/versions/latest';

// Imports the Secret Manager library
const {SecretManagerServiceClient} = require('@google-cloud/secret-manager');

// Instantiates a client
const client = new SecretManagerServiceClient();

async function accessSecretVersion() {
  const [version] = await client.accessSecretVersion({
    name: name,
  });

  // Extract the payload as a string.
  const payload = version.payload.data.toString('utf8');

  // WARNING: Do not print the secret in a production environment - this
  // snippet is showing how to access the secret material.
  console.info(`Payload: ${payload}`);
}

accessSecretVersion();

这篇关于提供来自Google Cloud Storage的Google客户服务帐户的keyFilename的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！