尽管有适当的角色,GCP VM 实例仍无法从 Secret Manager 访问机密
GCP VM Instance is not able to access secrets from Secret Manager despite of appropriate Roles
我在 GCP 的 Secret Manager 服务中创建了一些秘密。然后为了在我的本地机器上访问这些秘密,我创建了一个 service account 和一个 JSON 密钥来从我的本地机器验证该服务帐户。我还向该服务帐户授予了 Secret Manager Secret Accessor 角色,以使其能够访问 Secret Manager 中的机密值。现在,它在我的本地机器上运行得非常好。
此外,我想将此代码部署到 GCP Compute Instance。因此,我创建了一个并将源代码发送到该实例。我还向计算实例的默认服务帐户授予了相同的权限 Secret Manager Secret Accessor。现在,当我 运行 在实例上尝试此代码时,它 returns 我出现了如下所述的权限被拒绝的错误。
The above exception was the direct cause of the following exception:
ibdax |
ibdax | Traceback (most recent call last):
ibdax | File "manage.py", line 22, in <module>
ibdax | main()
ibdax | File "manage.py", line 18, in main
ibdax | execute_from_command_line(sys.argv)
ibdax | File "/usr/local/lib/python3.7/site-packages/django/core/management/__init__.py", line 419, in execute_from_command_line
ibdax | utility.execute()
ibdax | File "/usr/local/lib/python3.7/site-packages/django/core/management/__init__.py", line 363, in execute
ibdax | settings.INSTALLED_APPS
ibdax | File "/usr/local/lib/python3.7/site-packages/django/conf/__init__.py", line 82, in __getattr__
ibdax | self._setup(name)
ibdax | File "/usr/local/lib/python3.7/site-packages/django/conf/__init__.py", line 69, in _setup
ibdax | self._wrapped = Settings(settings_module)
ibdax | File "/usr/local/lib/python3.7/site-packages/django/conf/__init__.py", line 170, in __init__
ibdax | mod = importlib.import_module(self.SETTINGS_MODULE)
ibdax | File "/usr/local/lib/python3.7/importlib/__init__.py", line 127, in import_module
ibdax | return _bootstrap._gcd_import(name[level:], package, level)
ibdax | File "<frozen importlib._bootstrap>", line 1006, in _gcd_import
ibdax | File "<frozen importlib._bootstrap>", line 983, in _find_and_load
ibdax | File "<frozen importlib._bootstrap>", line 967, in _find_and_load_unlocked
ibdax | File "<frozen importlib._bootstrap>", line 677, in _load_unlocked
ibdax | File "<frozen importlib._bootstrap_external>", line 728, in exec_module
ibdax | File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
ibdax | File "/ibdax/ibdax/settings.py", line 19, in <module>
ibdax | from ibdax.constants import (
ibdax | File "/ibdax/ibdax/constants.py", line 30, in <module>
ibdax | DEV_DATABASE_HOST=secrets.get_secrets("dev-database-host")
ibdax | File "/ibdax/ibdax/gcp_secret_manager.py", line 23, in get_secrets
ibdax | response = self.client.access_secret_version(request)
ibdax | File "/usr/local/lib/python3.7/site-packages/google/cloud/secretmanager_v1/services/secret_manager_service/client.py", line 1155, in access_secret_version
ibdax | response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
ibdax | File "/usr/local/lib/python3.7/site-packages/google/api_core/gapic_v1/method.py", line 145, in __call__
ibdax | return wrapped_func(*args, **kwargs)
ibdax | File "/usr/local/lib/python3.7/site-packages/google/api_core/retry.py", line 286, in retry_wrapped_func
ibdax | on_error=on_error,
ibdax | File "/usr/local/lib/python3.7/site-packages/google/api_core/retry.py", line 184, in retry_target
ibdax | return target()
ibdax | File "/usr/local/lib/python3.7/site-packages/google/api_core/grpc_helpers.py", line 75, in error_remapped_callable
ibdax | six.raise_from(exceptions.from_grpc_error(exc), exc)
ibdax | File "<string>", line 3, in raise_from
ibdax | google.api_core.exceptions.PermissionDenied: 403 Request had insufficient authentication scopes.
我检查了 Compute Instance's 服务帐户的 IAM 角色,它有一些我无法理解的消息。这是屏幕截图 -
我该如何解决这个问题?
首先,请不要将 JSON 服务帐户密钥文件下载到您的本地计算机。您可以在 https://cloud.google.com/sdk 安装 gcloud 命令行工具,然后通过您的用户帐户进行身份验证:
$ gcloud auth login && gcloud auth application-default login
这将提示您通过网络登录您的 Google 帐户 - 不需要服务帐户。从安全和审计的角度来看,这要好得多。
同样,当 运行在 GCE(或任何“基于计算的”平台,如 GKE、Cloud Functions、Cloud 运行 等)上运行时,您应该创建一个服务帐户并 运行 作为该服务帐户的实例。 不要使用默认计算引擎服务帐户!。此外,不要授予 Default Compute Engine 服务帐户访问所有机密的权限,因为这会带来重大的安全风险。请在 Secret Manager Best Practices.
查看更多信息
GCE 的默认 OAuth 范围不包括 cloud-platform。您需要更新范围以包括 cloud-platform:
$ gcloud compute instances set-service-account "my-instance" --service-account "...@..." --scopes "cloud-platform"
首先尝试排除故障
如果它显示网络问题然后为您的实例添加新的防火墙规则将名称命名为 allow-ingress-from-iap 和 select ipv4 源范围作为您的 vm ip 然后在 tcp giv 22,3389 然后为 iap 隧道添加 iam
我在 GCP 的 Secret Manager 服务中创建了一些秘密。然后为了在我的本地机器上访问这些秘密,我创建了一个 service account 和一个 JSON 密钥来从我的本地机器验证该服务帐户。我还向该服务帐户授予了 Secret Manager Secret Accessor 角色,以使其能够访问 Secret Manager 中的机密值。现在,它在我的本地机器上运行得非常好。
此外,我想将此代码部署到 GCP Compute Instance。因此,我创建了一个并将源代码发送到该实例。我还向计算实例的默认服务帐户授予了相同的权限 Secret Manager Secret Accessor。现在,当我 运行 在实例上尝试此代码时,它 returns 我出现了如下所述的权限被拒绝的错误。
The above exception was the direct cause of the following exception:
ibdax |
ibdax | Traceback (most recent call last):
ibdax | File "manage.py", line 22, in <module>
ibdax | main()
ibdax | File "manage.py", line 18, in main
ibdax | execute_from_command_line(sys.argv)
ibdax | File "/usr/local/lib/python3.7/site-packages/django/core/management/__init__.py", line 419, in execute_from_command_line
ibdax | utility.execute()
ibdax | File "/usr/local/lib/python3.7/site-packages/django/core/management/__init__.py", line 363, in execute
ibdax | settings.INSTALLED_APPS
ibdax | File "/usr/local/lib/python3.7/site-packages/django/conf/__init__.py", line 82, in __getattr__
ibdax | self._setup(name)
ibdax | File "/usr/local/lib/python3.7/site-packages/django/conf/__init__.py", line 69, in _setup
ibdax | self._wrapped = Settings(settings_module)
ibdax | File "/usr/local/lib/python3.7/site-packages/django/conf/__init__.py", line 170, in __init__
ibdax | mod = importlib.import_module(self.SETTINGS_MODULE)
ibdax | File "/usr/local/lib/python3.7/importlib/__init__.py", line 127, in import_module
ibdax | return _bootstrap._gcd_import(name[level:], package, level)
ibdax | File "<frozen importlib._bootstrap>", line 1006, in _gcd_import
ibdax | File "<frozen importlib._bootstrap>", line 983, in _find_and_load
ibdax | File "<frozen importlib._bootstrap>", line 967, in _find_and_load_unlocked
ibdax | File "<frozen importlib._bootstrap>", line 677, in _load_unlocked
ibdax | File "<frozen importlib._bootstrap_external>", line 728, in exec_module
ibdax | File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
ibdax | File "/ibdax/ibdax/settings.py", line 19, in <module>
ibdax | from ibdax.constants import (
ibdax | File "/ibdax/ibdax/constants.py", line 30, in <module>
ibdax | DEV_DATABASE_HOST=secrets.get_secrets("dev-database-host")
ibdax | File "/ibdax/ibdax/gcp_secret_manager.py", line 23, in get_secrets
ibdax | response = self.client.access_secret_version(request)
ibdax | File "/usr/local/lib/python3.7/site-packages/google/cloud/secretmanager_v1/services/secret_manager_service/client.py", line 1155, in access_secret_version
ibdax | response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
ibdax | File "/usr/local/lib/python3.7/site-packages/google/api_core/gapic_v1/method.py", line 145, in __call__
ibdax | return wrapped_func(*args, **kwargs)
ibdax | File "/usr/local/lib/python3.7/site-packages/google/api_core/retry.py", line 286, in retry_wrapped_func
ibdax | on_error=on_error,
ibdax | File "/usr/local/lib/python3.7/site-packages/google/api_core/retry.py", line 184, in retry_target
ibdax | return target()
ibdax | File "/usr/local/lib/python3.7/site-packages/google/api_core/grpc_helpers.py", line 75, in error_remapped_callable
ibdax | six.raise_from(exceptions.from_grpc_error(exc), exc)
ibdax | File "<string>", line 3, in raise_from
ibdax | google.api_core.exceptions.PermissionDenied: 403 Request had insufficient authentication scopes.
我检查了 Compute Instance's 服务帐户的 IAM 角色,它有一些我无法理解的消息。这是屏幕截图 -
我该如何解决这个问题?
首先,请不要将 JSON 服务帐户密钥文件下载到您的本地计算机。您可以在 https://cloud.google.com/sdk 安装 gcloud 命令行工具,然后通过您的用户帐户进行身份验证:
$ gcloud auth login && gcloud auth application-default login
这将提示您通过网络登录您的 Google 帐户 - 不需要服务帐户。从安全和审计的角度来看,这要好得多。
同样,当 运行在 GCE(或任何“基于计算的”平台,如 GKE、Cloud Functions、Cloud 运行 等)上运行时,您应该创建一个服务帐户并 运行 作为该服务帐户的实例。 不要使用默认计算引擎服务帐户!。此外,不要授予 Default Compute Engine 服务帐户访问所有机密的权限,因为这会带来重大的安全风险。请在 Secret Manager Best Practices.
查看更多信息GCE 的默认 OAuth 范围不包括 cloud-platform。您需要更新范围以包括 cloud-platform:
$ gcloud compute instances set-service-account "my-instance" --service-account "...@..." --scopes "cloud-platform"
首先尝试排除故障 如果它显示网络问题然后为您的实例添加新的防火墙规则将名称命名为 allow-ingress-from-iap 和 select ipv4 源范围作为您的 vm ip 然后在 tcp giv 22,3389 然后为 iap 隧道添加 iam