doushi1900 2018-12-19 18:39
浏览 158
已采纳

如何使用Google KMS创建服务帐户以访问GCP项目之间的秘密?

I've followed this tutorial: https://cloud.google.com/kms/docs/store-secrets

My next step was to have my apps read my secrets file from the storage bucket and decrypt safely at runtime. These apps run within various projects (staging, dev, production etc).

I've read the service account documentation over and over but can't quite understand the correct way forward.

What I found that worked was to simply add service accounts to MY_KMS_PROJECT and MY_STORAGE_PROJECT from the tutorial. I set them up to have access to read storage buckets and to decrypt KMS keys. Just by creating those service accounts, suddenly apps in other projects could read and decrypt. Is that how it's supposed to work?

I thought that I would have had to create a service account for each project that I want to have accessing the KMS projects from the tutorial? Or use IAM somehow to grant access? For example, how would I grant access to some apps within some projects and not others?

I'm attempting to now give access to apps when they are running in my local dev environment, which usually requires downloading a service account and pointing GOOGLE_APPLICATION_CREDENTIALS to the file. But it seems strange to me to download the service accounts from the MY_KMS_PROJECT or MY_STORAGE_PROJECT, especially since I already have a service account for accessing firebase. Are service accounts somehow global to all projects? Can they be combined? GOOGLE_APPLICATION_CREDENTIALS seems only good for pointing at a single service account.

Note: most of my apps are running on google app engine standard or flexible.

Here is the code from the apps within my projects that "just work" as described above:

client, err := google.DefaultClient(ctx, cloudkms.CloudPlatformScope)
if err != nil {
    log.Fatal(err)
}

// Create the KMS client.
kmsService, err := cloudkms.New(client)
if err != nil {
    log.Fatal(err)
}
....

And for accessing the bucket:

// Create the storage clientstorage
Client, err := storage.NewClient(ctx)
if err != nil {
    log.Fatal(err)
}
....
  • 写回答

2条回答 默认 最新

  • doujiao1814 2018-12-20 20:16
    关注

    This is what I discovered works. Until I hear that it's not correct or ideal, it's how I'm moving forward:

    1. Follow the "storing secrets" tutorial (https://cloud.google.com/kms/docs/store-secrets).

    Note that when creating the two accounts from the tutorial, there will be no service accounts automatically created since there is no compute or app engine instances by default.

    1. Go to IAM for the kms storage project and add any other projects with apps that you want to have access to download the encrypted secrets. Add them by their service account emails, with the role for viewing buckets.

    2. Go to IAM for the kms management project and do the same for any projects with apps that you want to be decrypting the shared secrets, via their service account emails.

    For Localhost development, use "gcloud auth application-default login" before starting your services.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 fpga自动售货机数码管(相关搜索:数字时钟)
  • ¥20 Python安装cvxpy库出问题
  • ¥15 用前端向数据库插入数据,通过debug发现数据能走到后端,但是放行之后就会提示错误
  • ¥15 python天天向上类似问题,但没有清零
  • ¥30 3天&7天&&15天&销量如何统计同一行
  • ¥30 帮我写一段可以读取LD2450数据并计算距离的Arduino代码
  • ¥15 C#调用python代码(python带有库)
  • ¥15 活动选择题。最多可以参加几个项目?
  • ¥15 飞机曲面部件如机翼,壁板等具体的孔位模型
  • ¥15 vs2019中数据导出问题