尽管具有适当的角色,GCP VM实例仍无法从Secret Manager访问机密 [英] GCP VM Instance is not able to access secrets from Secret Manager despite of appropriate Roles
本文介绍了尽管具有适当的角色,GCP VM实例仍无法从Secret Manager访问机密的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
Secret Manager
服务中创建了几个秘密。然后,为了在我的本地计算机上访问这些秘密,我创建了一个service account
和一个JSON
密钥来从我的本地计算机验证该服务帐户。我还将角色Secret Manager Secret Accessor
授予该服务帐户,使其能够访问Secret Manager
中的密码值。现在,它在我的本地计算机上工作得非常好。
此外,我想将此代码部署到GCPCompute Instance
。因此,我创建了一个,并将源代码发送到该实例。我还将相同的权限Secret Manager Secret Accessor
授予计算实例的默认服务帐户。现在,当我在实例上运行此代码时,它返回如下所述的权限被拒绝的错误。
The above exception was the direct cause of the following exception:
ibdax |
ibdax | Traceback (most recent call last):
ibdax | File "manage.py", line 22, in <module>
ibdax | main()
ibdax | File "manage.py", line 18, in main
ibdax | execute_from_command_line(sys.argv)
ibdax | File "/usr/local/lib/python3.7/site-packages/django/core/management/__init__.py", line 419, in execute_from_command_line
ibdax | utility.execute()
ibdax | File "/usr/local/lib/python3.7/site-packages/django/core/management/__init__.py", line 363, in execute
ibdax | settings.INSTALLED_APPS
ibdax | File "/usr/local/lib/python3.7/site-packages/django/conf/__init__.py", line 82, in __getattr__
ibdax | self._setup(name)
ibdax | File "/usr/local/lib/python3.7/site-packages/django/conf/__init__.py", line 69, in _setup
ibdax | self._wrapped = Settings(settings_module)
ibdax | File "/usr/local/lib/python3.7/site-packages/django/conf/__init__.py", line 170, in __init__
ibdax | mod = importlib.import_module(self.SETTINGS_MODULE)
ibdax | File "/usr/local/lib/python3.7/importlib/__init__.py", line 127, in import_module
ibdax | return _bootstrap._gcd_import(name[level:], package, level)
ibdax | File "<frozen importlib._bootstrap>", line 1006, in _gcd_import
ibdax | File "<frozen importlib._bootstrap>", line 983, in _find_and_load
ibdax | File "<frozen importlib._bootstrap>", line 967, in _find_and_load_unlocked
ibdax | File "<frozen importlib._bootstrap>", line 677, in _load_unlocked
ibdax | File "<frozen importlib._bootstrap_external>", line 728, in exec_module
ibdax | File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
ibdax | File "/ibdax/ibdax/settings.py", line 19, in <module>
ibdax | from ibdax.constants import (
ibdax | File "/ibdax/ibdax/constants.py", line 30, in <module>
ibdax | DEV_DATABASE_HOST=secrets.get_secrets("dev-database-host")
ibdax | File "/ibdax/ibdax/gcp_secret_manager.py", line 23, in get_secrets
ibdax | response = self.client.access_secret_version(request)
ibdax | File "/usr/local/lib/python3.7/site-packages/google/cloud/secretmanager_v1/services/secret_manager_service/client.py", line 1155, in access_secret_version
ibdax | response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
ibdax | File "/usr/local/lib/python3.7/site-packages/google/api_core/gapic_v1/method.py", line 145, in __call__
ibdax | return wrapped_func(*args, **kwargs)
ibdax | File "/usr/local/lib/python3.7/site-packages/google/api_core/retry.py", line 286, in retry_wrapped_func
ibdax | on_error=on_error,
ibdax | File "/usr/local/lib/python3.7/site-packages/google/api_core/retry.py", line 184, in retry_target
ibdax | return target()
ibdax | File "/usr/local/lib/python3.7/site-packages/google/api_core/grpc_helpers.py", line 75, in error_remapped_callable
ibdax | six.raise_from(exceptions.from_grpc_error(exc), exc)
ibdax | File "<string>", line 3, in raise_from
ibdax | google.api_core.exceptions.PermissionDenied: 403 Request had insufficient authentication scopes.
我检查了Compute Instance's
服务帐户的IAM角色,但它包含一些我无法理解的消息。这是它的屏幕截图-
如何修复此问题?
json
首先,请不要将推荐答案服务帐户密钥文件下载到本地计算机。您可以在https://cloud.google.com/sdk安装gcloud
命令行工具,然后通过您的用户帐户进行身份验证:
$ gcloud auth login && gcloud auth application-default login
这将提示您通过Web登录到您的Google帐户-不需要服务帐户。从安全和审核的角度来看,这要好得多。
同样,在GCE(或任何基于计算的平台,如GKE、Cloud Functions、Cloud Run等)上运行时,您应该创建一个服务帐户并以该服务帐户运行实例。请勿使用默认的Compute Engine服务帐户!。此外,不要授予默认的Compute Engine服务帐户访问所有机密的权限,因为这会带来重大的安全风险。请访问Secret Manager Best Practices查看更多信息。
GCE的默认OAuth作用域不包括
cloud-platform
。您需要更新作用域以包括cloud-platform
:
$ gcloud compute instances set-service-account "my-instance" --service-account "...@..." --scopes "cloud-platform"
这篇关于尽管具有适当的角色,GCP VM实例仍无法从Secret Manager访问机密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文