谷歌KMS在AppEngine / Python&开发AppServer [英] Google KMS on AppEngine/Python & Development AppServer

问题描述

从文档如何在Google App Engine Standard上使用Google密钥管理系统（KMS），特别是在使用开发服务器在本地进行开发时。

它看起来相当简单：

1. 在Python虚拟环境中安装 google-api-python-client 在 appengine_config.py 中添加virtualenv路径 google.appengine.ext.vendor ）
   
2. 导入 googleapiclient.discovery


3. 通过 google.appengine.api.app_identity获取应用程序标识


4. 以预期/记录的方式使用 kms 客户端

...然后按照文档中链接的教程。然而，我迄今为止的尝试并未取得成功，而且文件似乎只需要几个步骤。

这感觉就像我开创了一个新天地，确保其他人已经拥有。

有没有人在App Engine Standard&它的本地开发服务器？

编辑 - 使用代码示例更新

以下是一些代码，似乎与我的默认凭据设置。

mykms.py

 从google.appengine.api导入googleapiclient.discovery 
从oauth2client.client导入app_identity 
 
导入GoogleCredentials 
 credentials = GoogleCredentials.get_application_default（）
 
 PROJECT ='my-crypto-project'
 IS_LOCAL = True 
 LOCATION ='global'
 TESTING_KR ='testing-keyring '
 KEY_RING = TESTING_KR if IS_LOCAL else app_identity.get_application_id（）
 
 kms = googleapiclient.discovery.build（'cloudkms'，'v1'，credentials = credentials）
 
 def encrypt（明文，cryptokey，keyring = KEY_RING，location = LOCATION）：
 name ='projects / {} / locations / {} / keyRings / {} / cryptoKeys / {}'。format（
 PROJECT，location，keyri ng，cryptokey 
）
 cryptokeys = kms.projects（）。locations（）。keyRings（）。cryptoKeys（）
 request = cryptokeys.encrypt（name = name，body = {'plaintext '：plaintext}）
返回request.execute（）
 
 
 def解密（ciphertext，cryptokey，keyring = KEY_RING，location = LOCATION）：
 name =' projects / {} / locations / {} / keyRings / {} / cryptokey'.format（
 PROJECT，location，keyring 
）
 cryptokeys = kms.projects（）。locations（）。 keyRings（）。cryptoKeys（）
 request = cryptokeys.decrypt（name = name，body = {'ciphertext'：ciphertext}）
 return request.execute（）
  dev_appserver.py 调用：
 $ 
 
 
 
 $ b 
  import mykms 
 mykms.encrypt（my text，cryptokey =my-key-ring）
  
给出错误：
 
 
 
 
 HttpError：https： //cloudkms.googleapis.com/v1/projects/np-crypto/locations/global/keyRings/localhost-test ing / cryptoKeys / machine-identifiers：encrypt？alt = json returned请求具有无效的认证凭证。预期的OAuth 2访问令牌，登录Cookie或其他有效的认证凭证。请参阅 https://developers.google.com/identity/sign-in / web / devconsole-project 。> 
 
 
这不是特别有用，主要关注Google登录该网站;但是，当我从命令行导入 mykms 时，出现错误： 
 
 
 
 
应用程序默认凭证不可用，如果在Google Compute Engine中运行，则可用。否则，必须定义环境变量GOOGLE_APPLICATION_CREDENTIALS，指向定义凭证的文件。请参阅 https://developers.google.com/accounts/docs/application-default-credentials 了解更多信息。  
 
这似乎是现在的正确选择。 eport back。 
 
 
编辑＃2 
 
 
 
该应用程序现在似乎已连接到KMS。我删除并重新登录到 gcloud auth application-default login 。然而，有一个奇怪的副作用 - 似乎是扫描驱动器，以及数百条消息（似乎从根目录的每个可访问的目录），就像下面的混乱日志： b 
 $ b 
 
 
 INFO 30 Jun 2017 20:06:57沙箱阻止访问文件/ Users
 
 
 
 INFO 30 Jun 2017 20:06:57如果它是一个静态文件，请检查app.yaml中是否设置了 application_readable：true 如果您在GAE中使用Cloud KMS进行开发，则不存在本地开发人员服务，你只能跟你收集的主要生产服务谈话。您可以按照您详细说明的方式使用这些库在本地进行开发，但仍然可以进行生产。
 
 
 
请注意，您必须为GAE应用程序提供默认凭据使用范围，请参阅 https://cloud.google.com/kms / docs / accessible-the-api＃google_app_engine  
 
 
 
如果您使用
 <$ c $，您也可以将请求作为GAE服务帐户c> gcloud iam服务帐户密钥和 gcloud auth activate-service-account 。
 
 
 
通常，对于开发环境，您可能希望将其作为独立的KeyRing（甚至是单独的项目）从您的生产资源中分割出来。
 
It's not clear from the documentation how one might wield Google Key Management System (KMS) on Google App Engine Standard, particularly when developing locally using the development server.

It would appear as reasonably straightforward as:

Installing google-api-python-client in a Python virtual env (and adding the virtualenv path with google.appengine.ext.vendor in appengine_config.py)
importing googleapiclient.discovery
getting the application identity with google.appengine.api.app_identity
Using the kms client in the anticipated / documented way
... then following the tutorial linked in the Documentation.  However my attempts so far have not resulted in success, and it appears the documentation is wanting for a few steps.

It feels like I'm breaking new ground that I'm sure others must have already.

Has anyone documented using Google KMS on App Engine Standard & its local development server?

EDIT -  Update with Code Example

Here's some code that illuminates -- the problem would appear to be with my setup of default credentials.

mykms.py

import googleapiclient.discovery
from google.appengine.api import app_identity

from oauth2client.client import GoogleCredentials
credentials = GoogleCredentials.get_application_default()

PROJECT = 'my-crypto-project'
IS_LOCAL = True
LOCATION = 'global'
TESTING_KR = 'testing-keyring'
KEY_RING = TESTING_KR if IS_LOCAL else app_identity.get_application_id()

kms = googleapiclient.discovery.build('cloudkms', 'v1', credentials=credentials)

def encrypt(plaintext, cryptokey, keyring=KEY_RING, location=LOCATION):
    name = 'projects/{}/locations/{}/keyRings/{}/cryptoKeys/{}'.format(
        PROJECT, location, keyring, cryptokey
    )
    cryptokeys = kms.projects().locations().keyRings().cryptoKeys()
    request = cryptokeys.encrypt(name=name, body={'plaintext': plaintext})
    return request.execute()


def decrypt(ciphertext, cryptokey, keyring=KEY_RING, location=LOCATION):
    name = 'projects/{}/locations/{}/keyRings/{}/cryptokey'.format(
        PROJECT, location, keyring
    )
    cryptokeys = kms.projects().locations().keyRings().cryptoKeys()
    request = cryptokeys.decrypt(name=name, body={'ciphertext': ciphertext})
    return request.execute()
Now calling, via dev_appserver.py:
import mykms
mykms.encrypt("my text", cryptokey="my-key-ring")
gives an error of:

  
HttpError: https://cloudkms.googleapis.com/v1/projects/np-crypto/locations/global/keyRings/localhost-testing/cryptoKeys/machine-identifiers:encrypt?alt=json returned "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.">
That's not especially helpful, being mostly concerned with Google Sign-In on the website; however, when I import the mykms from the command line, I get the error:

  
The Application Default Credentials are not available. They are available if running in Google Compute Engine. Otherwise, the environment variable GOOGLE_APPLICATION_CREDENTIALS must be defined pointing to a file defining the credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.
This seems like the correct lead for now.  Will flush it out and report back.

EDIT #2

The application seems to now connect to KMS.  I deleted and re-logged into gcloud auth application-default login. 

However, there's a weird side effect — something seems to be scanning the drive, and hundreds of messages (seemingly one for every accessible directory from root) like the following clutter the log:

  
INFO  30 Jun 2017 20:06:57  Sandbox prevented access to file "/Users"
  
  
INFO  30 Jun 2017 20:06:57  If it is a static file, check that application_readable: true is set in your app.yaml

解决方案
If you're developing using Cloud KMS in GAE, there isn't a local dev service, you can only talk to the main production service as you've gathered. You could use the libraries as you've detailed to develop locally, but would still be hitting production.

Note that you'll have to give GAE application default credentials with a scope for use, see https://cloud.google.com/kms/docs/accessing-the-api#google_app_engine

You can also make requests as the GAE service account if you use
gcloud iam service-accounts keys and gcloud auth activate-service-account.

In general, for a dev environment, you might want to segment this as a separate KeyRing (or even a separate project) from your production resources.

                        
这篇关于谷歌KMS在AppEngine / Python&amp;开发AppServer的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！