从Docker中的Python访问GCP Secret Manager中的机密-拒绝非SOP权限
我正在构建一个简单的应用程序,将Twilio凭证存储在GCP Secret Manager中,并在需要时将其取下。但是,我在项目资源上不断收到拒绝权限错误(403): google.api_core.exceptions.PermissionDenied:403资源项目的权限被拒绝 我使用的环境变量设置为包含服务帐户凭据的JSON文件的路径 以下是我已经尝试过的:从Docker中的Python访问GCP Secret Manager中的机密-拒绝非SOP权限,python,docker,google-cloud-platform,google-secret-manager,Python,Docker,Google Cloud Platform,Google Secret Manager,我正在构建一个简单的应用程序,将Twilio凭证存储在GCP Secret Manager中,并在需要时将其取下。但是,我在项目资源上不断收到拒绝权限错误(403): google.api_core.exceptions.PermissionDenied:403资源项目的权限被拒绝 我使用的环境变量设置为包含服务帐户凭据的JSON文件的路径 以下是我已经尝试过的: 确保在GCP控制台中正确设置权限。服务帐户被设置为项目的所有者和项目级别的机密访问器,以及每个机密的对象级别的机密访问器 确保环境
- 确保在GCP控制台中正确设置权限。服务帐户被设置为项目的所有者和项目级别的机密访问器,以及每个机密的对象级别的机密访问器
- 确保环境变量设置正确-我已经验证了ENV变量设置正确,并且可以读取它所指向的文件。我可以通过将ENV变量作为JSON文件打开来打印文件的内容
- 通过将我的JSON文件的内容与GCP控制台中的数据进行比较,确认身份验证信息是正确的
- 我使用gcloud CLI在服务帐户下登录,然后使用CLI命令检索相同的机密
- 我可以成功地访问数据并将数据推送到GCS存储桶,这表明凭据已从ENV变量正确加载
- 我试过用很多方法来获取这些秘密。我尝试过其他方法,比如在项目中列出秘密。全部返回权限错误
def access_secret(project_id, secret_id, version):
"""
Access a secret- API token, etc- stored in Secret Manager
Code from https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets#secretmanager-access-secret-version-python
"""
client = secretmanager.SecretManagerServiceClient()
# Build the resource name of the secret version
name = client.secret_version_path(project_id, secret_id, version)
# Access the secret version
response = client.access_secret_version(name)
# Return the secret payload
payload = response.payload.data.decode('UTF-8')
return payload
EDIT2:这是我运行此代码的Dockerfile:
FROM python:3.8.2-slim-buster
WORKDIR /build
# Copy in the requirements.txt file and service account credentials
COPY requirements.txt <CREDENTIALS_FILENAME>.json /build/
ENV PYTHONUNBUFFERED=1 \
GOOGLE_APPLICATION_CREDENTIALS=/build/<CREDENTIALS_FILENAME>.json \
VOICEMAIL_TIMEOUT=55 \
MULTIRING_TIMEOUT=15 \
GCS_VM_BUCKET=<MY GCS BUCKET NAME> \
GCP_PROJECT=<MY GCP PROJECT NAME> \
PHONE_NUMBER=<PHONE NUMBER> \
TWILIO_ACCOUNT_SID_VERSION=1 \
TWILIO_AUTH_TOKEN_VERSION=1
# Install packages
RUN pip install -r requirements.txt
# Navigate to the directory containing the Python code
WORKDIR /code/src/
EXPOSE 5000
# Run the actual Python code
CMD ["python", "main.py"]
其中,TWILIO_账户_SID和TWILIO_认证_令牌是GCP中的机密名称
完整错误跟踪:
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/google/api_core/grpc_helpers.py", line 57, in error_remapped_callable return callable_(*args, **kwargs)
File "/usr/local/lib/python3.8/site-packages/grpc/_channel.py", line 826, in __call__
return _end_unary_response_blocking(state, call, False, None)
File "/usr/local/lib/python3.8/site-packages/grpc/_channel.py", line 729, in _end_unary_response_blocking
raise _InactiveRpcError(state)
grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.PERMISSION_DENIED
details = "Permission denied on resource project <MY GCP PROJECT NAME>."
debug_error_string = "{"created":"@1588389938.954039708","description":"Error received from peer ipv4:172.217.12.138:443","file":"src/core/lib/surface
/call.cc","file_line":1056,"grpc_message":"Permission denied on resource
project <MY GCP PROJECT NAME>.","grpc_status":7}" >
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "main.py", line 7, in <module>
from parameters import *
File "/code/src/parameters.py", line 16, in <module>
TWILIO_SID = access_secret(GCP_PROJECT, 'TWILIO_ACCOUNT_SID',
os.environ['TWILIO_ACCOUNT_SID_VERSION'])
File "/code/src/utils.py", line 46, in access_secret
response = client.access_secret_version(name)
File "/usr/local/lib/python3.8/site-packages/google/cloud/secretmanager_v1
/gapic/secret_manager_service_client.py", line 963, in access_secret_version
return self._inner_api_calls["access_secret_version"](
File "/usr/local/lib/python3.8/site-packages/google/api_core/gapic_v1
/method.py", line 143, in __call__
return wrapped_func(*args, **kwargs)
File "/usr/local/lib/python3.8/site-packages/google/api_core/retry.py", line
281, in retry_wrapped_func
return retry_target(
File "/usr/local/lib/python3.8/site-packages/google/api_core/retry.py", line
184, in retry_target
return target()
File "/usr/local/lib/python3.8/site-packages/google/api_core/timeout.py",
line 214, in func_with_timeout
return func(*args, **kwargs)
File "/usr/local/lib/python3.8/site-packages/google/api_core
/grpc_helpers.py", line 59, in error_remapped_callable
six.raise_from(exceptions.from_grpc_error(exc), exc)
File "<string>", line 3, in raise_from
google.api_core.exceptions.PermissionDenied: 403 Permission denied on
resource project <MY GCP PROJECT NAME>.
回溯(最近一次呼叫最后一次):
文件“/usr/local/lib/python3.8/site packages/google/api\u core/grpc\u helpers.py”,第57行,错误为\u重新映射\u callable return callable(*args,**kwargs)
文件“/usr/local/lib/python3.8/site packages/grpc/_channel.py”,第826行,在调用中
返回\u结束\u一元\u响应\u阻塞(状态、调用、错误、无)
文件“/usr/local/lib/python3.8/site packages/grpc/_channel.py”,第729行,输入一元响应
raise\u InactiveRpcError(状态)
grpc.\u信道。\u不活动覆盖PCERROR:
上述异常是以下异常的直接原因:
回溯(最近一次呼叫最后一次):
文件“main.py”,第7行,在
从参数导入*
文件“/code/src/parameters.py”,第16行,在
TWILIO\u SID=访问密钥(GCP\u项目,“TWILIO\u帐户\u SID”,
os.environ['TWILIO\u帐户\u SID\u版本']
文件“/code/src/utils.py”,第46行,在access\u secret中
响应=客户端。访问\u密码\u版本(名称)
文件“/usr/local/lib/python3.8/site-packages/google/cloud/secretmanager_v1
/gapic/secret\u manager\u service\u client.py“
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/google/api_core/grpc_helpers.py", line 57, in error_remapped_callable return callable_(*args, **kwargs)
File "/usr/local/lib/python3.8/site-packages/grpc/_channel.py", line 826, in __call__
return _end_unary_response_blocking(state, call, False, None)
File "/usr/local/lib/python3.8/site-packages/grpc/_channel.py", line 729, in _end_unary_response_blocking
raise _InactiveRpcError(state)
grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.PERMISSION_DENIED
details = "Permission denied on resource project <MY GCP PROJECT NAME>."
debug_error_string = "{"created":"@1588389938.954039708","description":"Error received from peer ipv4:172.217.12.138:443","file":"src/core/lib/surface
/call.cc","file_line":1056,"grpc_message":"Permission denied on resource
project <MY GCP PROJECT NAME>.","grpc_status":7}" >
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "main.py", line 7, in <module>
from parameters import *
File "/code/src/parameters.py", line 16, in <module>
TWILIO_SID = access_secret(GCP_PROJECT, 'TWILIO_ACCOUNT_SID',
os.environ['TWILIO_ACCOUNT_SID_VERSION'])
File "/code/src/utils.py", line 46, in access_secret
response = client.access_secret_version(name)
File "/usr/local/lib/python3.8/site-packages/google/cloud/secretmanager_v1
/gapic/secret_manager_service_client.py", line 963, in access_secret_version
return self._inner_api_calls["access_secret_version"](
File "/usr/local/lib/python3.8/site-packages/google/api_core/gapic_v1
/method.py", line 143, in __call__
return wrapped_func(*args, **kwargs)
File "/usr/local/lib/python3.8/site-packages/google/api_core/retry.py", line
281, in retry_wrapped_func
return retry_target(
File "/usr/local/lib/python3.8/site-packages/google/api_core/retry.py", line
184, in retry_target
return target()
File "/usr/local/lib/python3.8/site-packages/google/api_core/timeout.py",
line 214, in func_with_timeout
return func(*args, **kwargs)
File "/usr/local/lib/python3.8/site-packages/google/api_core
/grpc_helpers.py", line 59, in error_remapped_callable
six.raise_from(exceptions.from_grpc_error(exc), exc)
File "<string>", line 3, in raise_from
google.api_core.exceptions.PermissionDenied: 403 Permission denied on
resource project <MY GCP PROJECT NAME>.