前端之家

  1. 首页
  2. 问答

不允许Cloud Function使用KMS密钥解密

问答

我有一个Python Cloud Function,它使用KMS密钥从环境中解密其他服务的身份验证令牌,如https://dev.to/googlecloud/using-secrets-in-google-cloud-functions-5aem

每当我运行函数时,都会不断收到“ 403权限被拒绝”的提示。当我在计算机上本地调用该函数时,它可以正常工作。我尝试将“ Cloud KMS CryptoKey Decrypter”角色添加到默认的Compute Engine服务帐户,但这没有用。

还有其他想法吗?

编辑:这是一些显示我在做什么的代码。环境变量存储在environment.yaml

指向的gcloud functions deploy文件中 
def decrypt_secret(key: str,secret: str):
    kms_client = kms.KeyManagementServiceclient()
    decrypted = kms_client.decrypt(key,base64.b64decode(secret))
    return decrypted.plaintext.decode("ascii")

def do_kms_stuff():
    key = os.environ["KMS_RESOURCE_NAME"]
    session = boto3.Session(
        profile_name="my-profile",aws_access_key_id=decrypt_secret(
            key,os.environ["AWS_accESS_KEY_ID_ENCRYPTED"]
        ),aws_secret_access_key=decrypt_secret(
            key,os.environ["AWS_SECRET_accESS_KEY_ENCRYPTED"]
        ),)
    # ...

这是Cloud Functions控制台中的错误:

File "<string>",line 3,in raise_from: google.api_core.exceptions.PermissionDenied: 403 Permission 'cloudkms.cryptoKeyVersions.useToDecrypt' denied on resource 'projects/my-project/locations/my-location1/keyRings/my-keyring/cryptoKeys/my-key' (or it may not exist). at error_remapped_callable (/env/local/lib/python3.7/site-packages/google/api_core/grpc_helpers.py:59) at func_with_timeout (/env/local/lib/python3.7/site-packages/google/api_core/timeout.py:214) at retry_target (/env/local/lib/python3.7/site-packages/google/api_core/retry.py:182) at retry_wrapped_func (/env/local/lib/python3.7/site-packages/google/api_core/retry.py:277) at
__call__ (/env/local/lib/python3.7/site-packages/google/api_core/gapic_v1/method.py:143) at decrypt (/env/local/lib/python3.7/site-packages/google/cloud/kms_v1/gapic/key_management_service_client.py:1816) at decrypt_secret (/user_code/kms_stuff.py:17) at do_kms_stuff (/user_code/kms_stuff.py:48) at my_cloud_function (/user_code/main.py:46) at call_user_function (/env/local/lib/python3.7/site-packages/google/cloud/functions/worker.py:214) at invoke_user_function (/env/local/lib/python3.7/site-packages/google/cloud/functions/worker.py:217) at run_background_function (/env/local/lib/python3.7/site-packages/google/cloud/functions/worker.py:383)
liuqiang5387 回答:不允许Cloud Function使用KMS密钥解密

正如@DazWilkin和@pessolato提到的,问题是我使用了错误的服务帐户。更改为使用默认的AppSpot帐户后,一切都会顺利进行。

google-cloud-functionsgoogle-cloud-iamgoogle-cloud-kmsgoogle-cloud-platform
本文链接:https://www.f2er.com/2960675.html

大家都在问