当前位置: 文江博客话题详情

Vertex AI Pipeline 的秘密管理器

发布于 01-15 00:40 字数 780 浏览 5 评论 0原文

我正在 GCP 中使用 kubeflow 创建 Vertex AI 管道,现在是时候更安全地存储我的 API 密钥了。我对 GCP 非常陌生,不熟悉环境,因此我一直在尝试遵循一些教程,但遇到了障碍。我想将我的秘密存储在 Secret Manager 中,然后从我编写的管道中访问它们。我在 GUI 中创建秘密并查看它们没有问题,但在编译管道时出现错误:google.api_core.exceptions.PermissionDenied: 403 Permission returned on resource project...

所以运行我的管道的帐户似乎无权访问我创建的秘密。那么我的问题是,如何检查哪个帐户正在运行管道,以便我可以授予其访问权限?或者这里真的存在另一个根本问题吗?

尝试访问秘密的代码:

 client = secretmanager.SecretManagerServiceClient()
 secret_name = "secret_name"
 request = {'name': f"path/{secret_name}/versions/latest"}
 response = client.access_secret_version(request)
 secret_string = response.payload.data.decode("UTF-8")

编辑:我可以补充一点,我一直在使用帐户权限进行很多操作,但我最好的猜测是在 Vertex AI>Workbench>我正在使用的笔记本的笔记本详细信息>服务帐户下找到的帐户是需要许可的人。难道不是这个吗?

原文

I am working in GCP creating a Vertex AI pipeline with kubeflow and it is time for me to store my API keys more securely. I am very new to GCP and unfamiliar with the environment so I've been trying to follow a few tutorials but have hit a roadblock. I want to store my secrets in Secret Manager and then later access them from the pipeline I've written. I have no problem creating secrets and viewing them in the GUI but when it comes to compiling my pipeline i get the error: google.api_core.exceptions.PermissionDenied: 403 Permission denied on resource project...

So it seems that the account running my pipelines does not have access to the secrets I have created. My question is then, how do I check which account is running the pipeline so I can grant it access? Or is there really another underlying problem here?

Code trying to access the secret:

 client = secretmanager.SecretManagerServiceClient()
 secret_name = "secret_name"
 request = {'name': f"path/{secret_name}/versions/latest"}
 response = client.access_secret_version(request)
 secret_string = response.payload.data.decode("UTF-8")

EDIT: I can add that I have been playing around a lot with account permissions but my best guess is that the account that is found under Vertex AI>Workbench>the notebook I am using's notebook details>Service account is the one that needs permission. Is this not it?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

合约呢 2025-01-22 00:40:34

就我而言,问题是我没有使用自定义服务帐户,根据 此页面

注意:如果您希望自定义训练代码通过 https 获取 OAuth 2.0 访问令牌://www.googleapis.com/auth/cloud-platform 范围,那么您必须使用自定义服务帐户进行训练。您无法向 Vertex AI 自定义代码服务代理授予此级别的访问权限。

由于秘密管理器客户端需要上述访问令牌,因此您需要创建自己的 自定义服务帐户。创建一个服务帐户(附加适当的权限,即 Secret Manager Secret Accessor)后,您可以将服务帐户附加到需要它的作业。

 @component(
     packages_to_install=['google-cloud-secret-manager']
 )
 def print_secret_op(project_id: str, secret_id: str, version_id: str) -> str:
     from google.cloud import secretmanager

     secret_client = secretmanager.SecretManagerServiceClient()
     secret_name = f'projects/{project_id}/secrets/{secret_id}/versions/{version_id}'
     response = secret_client.access_secret_version(request={"name": secret_name})
     payload = response.payload.data.decode("UTF-8")
     answer = "The secret is: {}".format(payload)
     print(answer)
     return answer


print_secret_job = create_custom_training_job_from_component(
    print_secret_op,
    service_account="your-service-account-email",
)

In my case, the problem was that I was not using a custom service account, as according to this page:

Note: If you want your custom training code to obtain an OAuth 2.0 access token with the https://www.googleapis.com/auth/cloud-platform scope, then you must use a custom service account for training. You cannot give this level of access to the Vertex AI Custom Code Service Agent.

As the secret manager client requires the aforementioned access token, you will need to create your own custom service account first. After you create one (with proper permission attached, namely, Secret Manager Secret Accessor), you can attach the service account to the job that needs it.

 @component(
     packages_to_install=['google-cloud-secret-manager']
 )
 def print_secret_op(project_id: str, secret_id: str, version_id: str) -> str:
     from google.cloud import secretmanager

     secret_client = secretmanager.SecretManagerServiceClient()
     secret_name = f'projects/{project_id}/secrets/{secret_id}/versions/{version_id}'
     response = secret_client.access_secret_version(request={"name": secret_name})
     payload = response.payload.data.decode("UTF-8")
     answer = "The secret is: {}".format(payload)
     print(answer)
     return answer


print_secret_job = create_custom_training_job_from_component(
    print_secret_op,
    service_account="your-service-account-email",
)
回复 原文
梦屿孤独相伴 2025-01-22 00:40:34

运行命令 gcloud auth list 可能会帮助您确定您正在使用的帐户。此外,您可以按照此 文档

要使用管道通过 Secret Manager 访问机密,您需要向运行管道的服务帐户授予机密管理器权限。您可以了解如何使用 为 Vertex AI 管道配置您的 Google Cloud 项目

在运行管道的服务帐户上设置秘密管理器权限后,您可以访问秘密。

此外,您还可以查看此文档,了解如何操作使用 kubeflow 管道访问机密。

Running the command gcloud auth list might help you to determine the account you are using. Additionally, you can troubleshoot the accounts that you have created in the project and see the roles that the accounts have by following this documentation.

To access secrets with Secret Manager using a pipeline, you need to grant the service account that runs the pipeline with secret manager permission. You can see how to configure a service account with granular permissions section of Configure your Google Cloud project for Vertex AI pipelines.

After setting the secret manager permissions on the service account that is running the pipeline you can access the Secrets.

Additionally, you can check this documentation to see how to access secrets with a kubeflow pipeline.

回复 原文
是伱的 2025-01-22 00:40:34

可能的原因

Vertex Pipeline 组件中出现错误 google.api_core.exceptions.PermissionDenied: 403 Permission returned 通常是因为您没有将项目指定给 GCP 客户端库实例。

client = secretmanager.SecretManagerServiceClient()  # <---- NO project specified

在代码中访问 Google Cloud 服务<中对此进行了说明/a>.

出现此问题的原因是 Vertex AI 不会直接在您的 Google Cloud 项目中运行您的代码。相反,Vertex AI 在 Google 管理的多个独立项目之一中运行您的代码。 Vertex AI 仅将这些项目用于与您的项目相关的操作。因此,不要尝试从训练或预测代码中的环境推断项目 ID;明确指定项目 ID。

由于您没有向 SecretManagerServiceClient 指定项目 ID,因此它尝试连接到由 Google 管理的 Vertex AI 项目的 Secret Manager 服务,当然,这不会允许您访问它。

修复

按照 访问 Google Cloud 服务中的示例code,在实例化 GCP 服务客户端时,将您的项目 ID 指定到 project 参数。

import os

from google.cloud import bigquery

project_number = os.environ["CLOUD_ML_PROJECT_ID"]

client = bigquery.Client(project=project_number)

Possible Cause

The error google.api_core.exceptions.PermissionDenied: 403 Permission denied in Vertex Pipeline components is typically because you did not specify the project to the GCP client library instance.

client = secretmanager.SecretManagerServiceClient()  # <---- NO project specified

It is explained in Access Google Cloud services in your code.

This problem occurs because Vertex AI does not run your code directly in your Google Cloud project. Instead, Vertex AI runs your code in one of several separate projects managed by Google. Vertex AI uses these projects exclusively for operations related to your project. Therefore, don't try to infer a project ID from the environment in your training or prediction code; specify project IDs explicitly.

Because you did not specify the project ID to the SecretManagerServiceClient, it tried to connect to the Secret Manager service of the Vertex AI project managed by Google, which will not allow you to access it, of course.

Fix

As per the example in Access Google Cloud services in your code, specify YOUR project ID to the project parameter when instantiating a GCP service client.

import os

from google.cloud import bigquery

project_number = os.environ["CLOUD_ML_PROJECT_ID"]

client = bigquery.Client(project=project_number)
回复 原文
~没有更多了~

关于作者

叫思念不要吵

暂无简介

文章
评论
27 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

Serendipity

文章 0 评论 0

xxxx

文章 0 评论 0

迷离°

文章 0 评论 0

  

文章 0 评论 0

wkeithbarry

文章 0 评论 0

只有一腔孤勇

文章 0 评论 0

更多

友情链接

文江博客
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文