无法访问 GCP Secret Manager 中的机密
Can't access secret in GCP Secret Manager
我正在尝试将我的代码从使用存储在 .env 文件中的 API 密钥迁移到使用 Google Cloud Platform Secrets Manager。我已按照说明进行操作 here,但我遇到一条错误消息,提示我没有访问机密的权限。
import * as admin from "firebase-admin"
import { SecretManagerServiceClient } from "@google-cloud/secret-manager"
admin.initializeApp()
const secretClient = new SecretManagerServiceClient()
async function main() {
async function getSecret(): Promise<string | null | undefined> {
const [version] = await secretClient.accessSecretVersion({ name: "TELEGRAM_TOKEN" })
return version.payload?.data?.toString()
}
const TELEGRAM_TOKEN = await getSecret()
console.log(TELEGRAM_TOKEN)
}
main().catch(console.error)
这就是我得到的错误:
> node lib/app.js --telegram
{ Error: 7 PERMISSION_DENIED: Permission denied on resource project TELEGRAM_TOKEN.
at Object.callErrorFromStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call.js:30:26)
at Object.onReceiveStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/client.js:174:52)
at Object.onReceiveStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:340:141)
at Object.onReceiveStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:303:181)
at Http2CallStream.outputStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call-stream.js:114:27)
at Http2CallStream.maybeOutputStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call-stream.js:153:22)
at Http2CallStream.endCall (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call-stream.js:140:18)
at Http2CallStream.handleTrailers (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call-stream.js:262:14)
at ClientHttp2Stream.emit (events.js:198:13)
at emit (internal/http2/core.js:265:8)
code: 7,
details: 'Permission denied on resource project TELEGRAM_TOKEN.',
metadata:
Metadata {
internalRepr:
Map {
'google.rpc.help-bin' => [Array],
'grpc-status-details-bin' => [Array],
'grpc-server-stats-bin' => [Array] },
options: {} },
note:
'Exception occurred in retry method that was not classified as transient' }
我确实创建了一个具有“所有者”权限的服务帐户,下载并制作了 export GOOGLE_APPLICATION_CREDENTIALS=/Users/...。当我执行 echo $GOOGLE_APPLICATION_CREDENTIALS.
时,我的服务帐户 .json 文件位置正确显示
我真的不知道我做错了什么。
访问secret时需要指定项目:
await secretClient.accessSecretVersion({ name: "TELEGRAM_TOKEN" })
应该是
await secretClient.accessSecretVersion({ name: "projects/my-project/secrets/TELEGRAM_TOKEN/versions/latest" })
我刚遇到同样的问题,我个人不得不在secret名称中指定项目名称后添加/versions/latest
await secretClient.accessSecretVersion({
name: "projects/my-project/secrets/TELEGRAM_TOKEN/versions/latest"
})
这些答案指导了我,但我花了很长时间才开始工作。您需要输入 PROJECT_ID 而不是 Project-Name.
找到您的项目 ID:
此处第二列显示项目 ID:
现在使用它和 运行 脚本
await secretClient.accessSecretVersion({
name: "projects/PROJECT_ID/secrets/SECRET_NAME/versions/latest"
})
我正在尝试将我的代码从使用存储在 .env 文件中的 API 密钥迁移到使用 Google Cloud Platform Secrets Manager。我已按照说明进行操作 here,但我遇到一条错误消息,提示我没有访问机密的权限。
import * as admin from "firebase-admin"
import { SecretManagerServiceClient } from "@google-cloud/secret-manager"
admin.initializeApp()
const secretClient = new SecretManagerServiceClient()
async function main() {
async function getSecret(): Promise<string | null | undefined> {
const [version] = await secretClient.accessSecretVersion({ name: "TELEGRAM_TOKEN" })
return version.payload?.data?.toString()
}
const TELEGRAM_TOKEN = await getSecret()
console.log(TELEGRAM_TOKEN)
}
main().catch(console.error)
这就是我得到的错误:
> node lib/app.js --telegram
{ Error: 7 PERMISSION_DENIED: Permission denied on resource project TELEGRAM_TOKEN.
at Object.callErrorFromStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call.js:30:26)
at Object.onReceiveStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/client.js:174:52)
at Object.onReceiveStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:340:141)
at Object.onReceiveStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:303:181)
at Http2CallStream.outputStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call-stream.js:114:27)
at Http2CallStream.maybeOutputStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call-stream.js:153:22)
at Http2CallStream.endCall (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call-stream.js:140:18)
at Http2CallStream.handleTrailers (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call-stream.js:262:14)
at ClientHttp2Stream.emit (events.js:198:13)
at emit (internal/http2/core.js:265:8)
code: 7,
details: 'Permission denied on resource project TELEGRAM_TOKEN.',
metadata:
Metadata {
internalRepr:
Map {
'google.rpc.help-bin' => [Array],
'grpc-status-details-bin' => [Array],
'grpc-server-stats-bin' => [Array] },
options: {} },
note:
'Exception occurred in retry method that was not classified as transient' }
我确实创建了一个具有“所有者”权限的服务帐户,下载并制作了 export GOOGLE_APPLICATION_CREDENTIALS=/Users/...。当我执行 echo $GOOGLE_APPLICATION_CREDENTIALS.
我真的不知道我做错了什么。
访问secret时需要指定项目:
await secretClient.accessSecretVersion({ name: "TELEGRAM_TOKEN" })
应该是
await secretClient.accessSecretVersion({ name: "projects/my-project/secrets/TELEGRAM_TOKEN/versions/latest" })
我刚遇到同样的问题,我个人不得不在secret名称中指定项目名称后添加/versions/latest
await secretClient.accessSecretVersion({
name: "projects/my-project/secrets/TELEGRAM_TOKEN/versions/latest"
})
这些答案指导了我,但我花了很长时间才开始工作。您需要输入 PROJECT_ID 而不是 Project-Name.
找到您的项目 ID:
此处第二列显示项目 ID:
现在使用它和 运行 脚本
await secretClient.accessSecretVersion({
name: "projects/PROJECT_ID/secrets/SECRET_NAME/versions/latest"
})