尽管具有适当的角色,GCP VM实例仍无法从Secret Manager访问机密 [英] GCP VM Instance is not able to access secrets from Secret Manager despite of appropriate Roles
本文介绍了尽管具有适当的角色,GCP VM实例仍无法从Secret Manager访问机密的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
Secret Manager服务中创建了几个秘密。然后,为了在我的本地计算机上访问这些秘密,我创建了一个service account和一个JSON密钥来从我的本地计算机验证该服务帐户。我还将角色Secret Manager Secret Accessor授予该服务帐户,使其能够访问Secret Manager中的密码值。现在,它在我的本地计算机上工作得非常好。
此外,我想将此代码部署到GCPCompute Instance。因此,我创建了一个,并将源代码发送到该实例。我还将相同的权限Secret Manager Secret Accessor授予计算实例的默认服务帐户。现在,当我在实例上运行此代码时,它返回如下所述的权限被拒绝的错误。
The above exception was the direct cause of the following exception:
ibdax |
ibdax | Traceback (most recent call last):
ibdax | File "manage.py", line 22, in <module>
ibdax | main()
ibdax | File "manage.py", line 18, in main
ibdax | execute_from_command_line(sys.argv)
ibdax | File "/usr/local/lib/python3.7/site-packages/django/core/management/__init__.py", line 419, in execute_from_command_line
ibdax | utility.execute()
ibdax | File "/usr/local/lib/python3.7/site-packages/django/core/management/__init__.py", line 363, in execute
ibdax | settings.INSTALLED_APPS
ibdax | File "/usr/local/lib/python3.7/site-packages/django/conf/__init__.py", line 82, in __getattr__
ibdax | self._setup(name)
ibdax | File "/usr/local/lib/python3.7/site-packages/django/conf/__init__.py", line 69, in _setup
ibdax | self._wrapped = Settings(settings_module)
ibdax | File "/usr/local/lib/python3.7/site-packages/django/conf/__init__.py", line 170, in __init__
ibdax | mod = importlib.import_module(self.SETTINGS_MODULE)
ibdax | File "/usr/local/lib/python3.7/importlib/__init__.py", line 127, in import_module
ibdax | return _bootstrap._gcd_import(name[level:], package, level)
ibdax | File "<frozen importlib._bootstrap>", line 1006, in _gcd_import
ibdax | File "<frozen importlib._bootstrap>", line 983, in _find_and_load
ibdax | File "<frozen importlib._bootstrap>", line 967, in _find_and_load_unlocked
ibdax | File "<frozen importlib._bootstrap>", line 677, in _load_unlocked
ibdax | File "<frozen importlib._bootstrap_external>", line 728, in exec_module
ibdax | File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
ibdax | File "/ibdax/ibdax/settings.py", line 19, in <module>
ibdax | from ibdax.constants import (
ibdax | File "/ibdax/ibdax/constants.py", line 30, in <module>
ibdax | DEV_DATABASE_HOST=secrets.get_secrets("dev-database-host")
ibdax | File "/ibdax/ibdax/gcp_secret_manager.py", line 23, in get_secrets
ibdax | response = self.client.access_secret_version(request)
ibdax | File "/usr/local/lib/python3.7/site-packages/google/cloud/secretmanager_v1/services/secret_manager_service/client.py", line 1155, in access_secret_version
ibdax | response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
ibdax | File "/usr/local/lib/python3.7/site-packages/google/api_core/gapic_v1/method.py", line 145, in __call__
ibdax | return wrapped_func(*args, **kwargs)
ibdax | File "/usr/local/lib/python3.7/site-packages/google/api_core/retry.py", line 286, in retry_wrapped_func
ibdax | on_error=on_error,
ibdax | File "/usr/local/lib/python3.7/site-packages/google/api_core/retry.py", line 184, in retry_target
ibdax | return target()
ibdax | File "/usr/local/lib/python3.7/site-packages/google/api_core/grpc_helpers.py", line 75, in error_remapped_callable
ibdax | six.raise_from(exceptions.from_grpc_error(exc), exc)
ibdax | File "<string>", line 3, in raise_from
ibdax | google.api_core.exceptions.PermissionDenied: 403 Request had insufficient authentication scopes.
Compute Instance's服务帐户的IAM角色,但它包含一些我无法理解的消息。这是它的屏幕截图-
如何修复此问题?
json
首先,请不要将推荐答案服务帐户密钥文件下载到本地计算机。您可以在https://cloud.google.com/sdk安装gcloud命令行工具,然后通过您的用户帐户进行身份验证:
$ gcloud auth login && gcloud auth application-default login
这将提示您通过Web登录到您的Google帐户-不需要服务帐户。从安全和审核的角度来看,这要好得多。
同样,在GCE(或任何基于计算的平台,如GKE、Cloud Functions、Cloud Run等)上运行时,您应该创建一个服务帐户并以该服务帐户运行实例。请勿使用默认的Compute Engine服务帐户!。此外,不要授予默认的Compute Engine服务帐户访问所有机密的权限,因为这会带来重大的安全风险。请访问Secret Manager Best Practices查看更多信息。
GCE的默认OAuth作用域不包括
cloud-platform。您需要更新作用域以包括cloud-platform:
$ gcloud compute instances set-service-account "my-instance" --service-account "...@..." --scopes "cloud-platform"
这篇关于尽管具有适当的角色,GCP VM实例仍无法从Secret Manager访问机密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
