从 Google 云存储中提供 Google 客户服务帐户的密钥文件名
Providing keyFilename of Google Client Service Account from Google Cloud Storage
要从 Google Cloud Function 连接到存在于不同 GCP 项目中的 Google Cloud BigQuery,我将按如下方式创建 BigQuery 客户端:
const {BigQuery} = require('@google-cloud/bigquery');
const options = {
keyFilename: 'path/to/service_account.json',
projectId: 'my_project',
};
const bigquery = new BigQuery(options);
但我不想将 service_account.json 存储在我的 Cloud Function 中,而是想将服务帐户存储在 Google Cloud Storage 中,并在上面的 keyFilename 中提供 Google Cloud Storage 路径.如果可以提供 google 云存储路径而不是本地路径,我找不到任何文档。
您无法提供 Google 云存储路径。假设您部署的函数具有访问存储桶中的 blob(key.json 文件)的正确权限,那么您可以将文件从 Google Cloud Storage 下载到 Cloud Function 的 \tmp 目录.
const {Storage} = require('@google-cloud/storage');
const {BigQuery} = require('@google-cloud/bigquery');
// Creates a client
const storage = new Storage();
async function downloadFile() {
const options = {
// The path to which the file should be downloaded, e.g. "./file.txt"
destination: \tmp\key.json,
};
// Downloads the file
await storage
.bucket(bucketName)
.file(srcFilename)
.download(options);
console.log(
`gs://${bucketName}/${srcFilename} downloaded to ${destFilename}.`
);
}
downloadFile().catch(console.error);
const options = {
keyFilename: '/tmp/key.json',
projectId: 'my_project',
};
const bigquery = new BigQuery(options);
更好的解决方案是将 key.json 文件与 Google Secret Manager 一起存储。然后将角色 secretmanager.secretAccessor 分配给您的云功能,并从您的云功能访问秘密。
/**
* TODO(developer): Uncomment these variables before running the sample.
*/
// const name = 'projects/my-project/secrets/my-secret/versions/5';
// const name = 'projects/my-project/secrets/my-secret/versions/latest';
// Imports the Secret Manager library
const {SecretManagerServiceClient} = require('@google-cloud/secret-manager');
// Instantiates a client
const client = new SecretManagerServiceClient();
async function accessSecretVersion() {
const [version] = await client.accessSecretVersion({
name: name,
});
// Extract the payload as a string.
const payload = version.payload.data.toString('utf8');
// WARNING: Do not print the secret in a production environment - this
// snippet is showing how to access the secret material.
console.info(`Payload: ${payload}`);
}
accessSecretVersion();
要从 Google Cloud Function 连接到存在于不同 GCP 项目中的 Google Cloud BigQuery,我将按如下方式创建 BigQuery 客户端:
const {BigQuery} = require('@google-cloud/bigquery');
const options = {
keyFilename: 'path/to/service_account.json',
projectId: 'my_project',
};
const bigquery = new BigQuery(options);
但我不想将 service_account.json 存储在我的 Cloud Function 中,而是想将服务帐户存储在 Google Cloud Storage 中,并在上面的 keyFilename 中提供 Google Cloud Storage 路径.如果可以提供 google 云存储路径而不是本地路径,我找不到任何文档。
您无法提供 Google 云存储路径。假设您部署的函数具有访问存储桶中的 blob(key.json 文件)的正确权限,那么您可以将文件从 Google Cloud Storage 下载到 Cloud Function 的 \tmp 目录.
const {Storage} = require('@google-cloud/storage');
const {BigQuery} = require('@google-cloud/bigquery');
// Creates a client
const storage = new Storage();
async function downloadFile() {
const options = {
// The path to which the file should be downloaded, e.g. "./file.txt"
destination: \tmp\key.json,
};
// Downloads the file
await storage
.bucket(bucketName)
.file(srcFilename)
.download(options);
console.log(
`gs://${bucketName}/${srcFilename} downloaded to ${destFilename}.`
);
}
downloadFile().catch(console.error);
const options = {
keyFilename: '/tmp/key.json',
projectId: 'my_project',
};
const bigquery = new BigQuery(options);
更好的解决方案是将 key.json 文件与 Google Secret Manager 一起存储。然后将角色 secretmanager.secretAccessor 分配给您的云功能,并从您的云功能访问秘密。
/**
* TODO(developer): Uncomment these variables before running the sample.
*/
// const name = 'projects/my-project/secrets/my-secret/versions/5';
// const name = 'projects/my-project/secrets/my-secret/versions/latest';
// Imports the Secret Manager library
const {SecretManagerServiceClient} = require('@google-cloud/secret-manager');
// Instantiates a client
const client = new SecretManagerServiceClient();
async function accessSecretVersion() {
const [version] = await client.accessSecretVersion({
name: name,
});
// Extract the payload as a string.
const payload = version.payload.data.toString('utf8');
// WARNING: Do not print the secret in a production environment - this
// snippet is showing how to access the secret material.
console.info(`Payload: ${payload}`);
}
accessSecretVersion();