Google Cloud Composer 获取默认服务帐户私钥
我正在使用 pymongo (来自气流挂钩)连接到 mongo 实例,该实例使用 google kms 作为密钥实现 FLE(字段级加密)。我们有一个具有服务帐户文件的虚拟机,这就是我们配置它的方式。
hook = MongoHook(self.source_conn_id)
creds = json.load(open(self.gcs_service_account_keypath))
kms_providers = {
"gcp": {
"email": creds['client_email'],
"privateKey": creds['private_key'].replace(
'-----BEGIN PRIVATE KEY-----\n', '').replace(
'\n-----END PRIVATE KEY-----\n', '')
}
}
auto_encryption_opts = AutoEncryptionOpts(
kms_providers, key_vault_namespace=self.mongo_key_vault_namespace, bypass_auto_encryption=True)
hook.extras = {'auto_encryption_opts': auto_encryption_opts }
现在我尝试在 Cloud Composer 中执行相同的操作,但我找不到如何从 Cloud Composer 中的默认服务帐户访问私钥。我可以导出服务帐户密钥,将其添加到秘密管理器并像这样访问它,但这似乎不是一个好主意。 我有什么想法可以访问它吗?
I'm using pymongo (from airflow hook) to connect to a mongo instance which implements FLE (Field Level Encryption) using google kms for the keys. We have a VM which has a service account file and this is how we configured it
hook = MongoHook(self.source_conn_id)
creds = json.load(open(self.gcs_service_account_keypath))
kms_providers = {
"gcp": {
"email": creds['client_email'],
"privateKey": creds['private_key'].replace(
'-----BEGIN PRIVATE KEY-----\n', '').replace(
'\n-----END PRIVATE KEY-----\n', '')
}
}
auto_encryption_opts = AutoEncryptionOpts(
kms_providers, key_vault_namespace=self.mongo_key_vault_namespace, bypass_auto_encryption=True)
hook.extras = {'auto_encryption_opts': auto_encryption_opts }
Now I'm trying to do the same in Cloud Composer but I can't find how to access the private key from the default service account in cloud composer. I could export the service account key, add it to secret manager and access it like that but it doesn't seem very good idea.
Any ideas how I can access it?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
服务帐户私钥分为三种类型。 Google 管理、用户管理和用户提供(导入)。
您无法直接从计算服务访问私钥,因为元数据服务器不提供对私钥的访问 - 只能访问从私钥创建的令牌。
标准建议是使用 IAM API 来签署 blob/JWT。
您的另一个选择是使用用户管理,您可以在其中下载服务帐户 JSON 密钥文件并将该文件提供给您的应用程序或从 Secret Manager 或类似服务作为机密加载。
There are three types of service account private keys. Google managed, user managed and user supplied (imported).
You cannot directly access the private key from a compute service as the metadata server does not provide access to private keys - only tokens created from private keys.
The standard recommendation is to use the IAM APIs to sign blobs/JWTs.
Your other option is to use user managed where you download the service account JSON key file and provide that file to your application or load as a secret from Secret Manager or a similar service.
您可以按照以下步骤。您可以将私钥放入与您的环境关联的 GCS 存储桶中,然后将其放入您的
data文件夹中,而不是使用秘密管理器:gs://bucket-name/data使其易于访问。有关与您的 Cloud Composer 环境关联的云存储桶的使用的更多信息,您可以参考此 文档。You can generate a service account key following these steps. Instead of using secret manager, you can put the private key in the GCS bucket associated to your environment and put it in your
datafolder:gs://bucket-name/datato make it accessible. For more information of utilization of Cloud storage bucket associated to your Cloud composer environment, you can refer to this documentation.