无法在GCP密码管理器中访问密码 [英] Can't access secret in GCP Secret Manager

问题描述

我正尝试将代码从使用存储在 .env 文件中的API密钥迁移到使用Google Cloud Platform Secrets Manager。我已经在此处中按照说明进行操作，但是遇到了错误，提示我无权访问该机密。

I'm trying to migrate my code from using API keys stored in the .env file to using Google Cloud Platform Secrets Manager. I've followed the instructions here but I encounter an error saying that I don't have permissions to access the secret.

import * as admin from "firebase-admin"
import { SecretManagerServiceClient } from "@google-cloud/secret-manager"

admin.initializeApp()
const secretClient = new SecretManagerServiceClient()

async function main() {
  async function getSecret(): Promise<string | null | undefined> {
    const [version] = await secretClient.accessSecretVersion({ name: "TELEGRAM_TOKEN" })

    return version.payload?.data?.toString()
  }

  const TELEGRAM_TOKEN = await getSecret()
  console.log(TELEGRAM_TOKEN)
}

main().catch(console.error)

这就是我得到的错误：

> node lib/app.js --telegram

{ Error: 7 PERMISSION_DENIED: Permission denied on resource project TELEGRAM_TOKEN.
    at Object.callErrorFromStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call.js:30:26)
    at Object.onReceiveStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/client.js:174:52)
    at Object.onReceiveStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:340:141)
    at Object.onReceiveStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:303:181)
    at Http2CallStream.outputStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call-stream.js:114:27)
    at Http2CallStream.maybeOutputStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call-stream.js:153:22)
    at Http2CallStream.endCall (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call-stream.js:140:18)
    at Http2CallStream.handleTrailers (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call-stream.js:262:14)
    at ClientHttp2Stream.emit (events.js:198:13)
    at emit (internal/http2/core.js:265:8)
  code: 7,
  details: 'Permission denied on resource project TELEGRAM_TOKEN.',
  metadata:
   Metadata {
     internalRepr:
      Map {
        'google.rpc.help-bin' => [Array],
        'grpc-status-details-bin' => [Array],
        'grpc-server-stats-bin' => [Array] },
     options: {} },
  note:
   'Exception occurred in retry method that was not classified as transient' }

我确实使用所有者创建了一个服务帐户，权限，将其下载并进行导出GOOGLE_APPLICATION_CREDENTIALS = /用户/...。当我执行 echo $ GOOGLE_APPLICATION_CREDENTIALS 时，服务帐户.json文件的位置会正确显示。

I did create a Service Account with "Owner" permissions, downloaded it and made export GOOGLE_APPLICATION_CREDENTIALS=/Users/.... My service account .json file location is correctly displayed when I execute echo $GOOGLE_APPLICATION_CREDENTIALS.

我真的不知道我在做什么

I have really no idea what I'm doing wrong.

推荐答案

访问机密时，需要指定项目：

When you access a secret, you need to specify the project:

await secretClient.accessSecretVersion({ name: "TELEGRAM_TOKEN" })

应该

await secretClient.accessSecretVersion({ name: "projects/my-project/secrets/TELEGRAM_TOKEN" })

这篇关于无法在GCP密码管理器中访问密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！