def __init__(self, project_path, credentials=None):
if credentials is not None:
self.client = secretmanager.SecretManagerServiceClient(
credentials=credentials)
else:
self.client = secretmanager.SecretManagerServiceClient()
self.client.project_path(project_path)
def __init__(self, json_path=None):
if json_path is None:
self.client = secretmanager.SecretManagerServiceClient()
else:
json_path = os.path.expanduser(json_path)
credentials = service_account.Credentials.from_service_account_file(
json_path)
self.client = secretmanager.SecretManagerServiceClient(
credentials=credentials)
def iam_revoke_access(project_id, secret_id, member):
"""
Revoke the given member access to a secret.
"""
# Import the Secret Manager client library.
from google.cloud import secretmanager
# Create the Secret Manager client.
client = secretmanager.SecretManagerServiceClient()
# Build the resource name of the secret.
name = client.secret_path(project_id, secret_id)
# Get the current IAM policy.
policy = client.get_iam_policy(name)
# Remove the given member's access permissions.
accessRole = 'roles/secretmanager.secretAccessor'
for b in list(policy.bindings):
if b.role == accessRole and member in b.members:
b.members.remove(member)
# Update the IAM Policy.
new_policy = client.set_iam_policy(name, policy)
# Print data about the secret.
print('Updated IAM policy on {}'.format(secret_id))
# [END secretmanager_iam_revoke_access]
return new_policy
def create_secret(project_id, secret_id):
"""
usage:
>>> project_id = 'at-ml-platform'
>>> secret_id = 'coinbase-api'
>>> create_secret(project_id, secret_id)
>>> create_secret(project_id, 'coinbase-key')
>>> create_secret(project_id, 'coinbase-secret')
>>> create_secret(project_id, 'coinbase-pass')
"""
client = secretmanager.SecretManagerServiceClient()
parent = f"projects/{project_id}"
# Create the secret.
response = client.create_secret(
request={
"parent": parent,
"secret_id": secret_id,
"secret": {
"replication": {
"automatic": {}
}
},
})
return response
def getApiKey():
secret_client = secretmanager.SecretManagerServiceClient()
name = secret_client.secret_version_path(project_id, secret_name, 'latest')
response = secret_client.access_secret_version(name)
key = response.payload.data.decode('UTF-8')
return key
def update_secret_with_alias(project_id, secret_id):
"""
Update the metadata about an existing secret.
"""
# Import the Secret Manager client library.
from google.cloud import secretmanager
# Create the Secret Manager client.
client = secretmanager.SecretManagerServiceClient()
# Build the resource name of the secret.
name = client.secret_path(project_id, secret_id)
# Update the secret.
secret = {"name": name, "version_aliases": {"test": 1}}
update_mask = {"paths": ["version_aliases"]}
response = client.update_secret(
request={"secret": secret, "update_mask": update_mask}
)
# Print the new secret name.
print("Updated secret: {}".format(response.name))
# [END secretmanager_update_secret_with_alias]
return response
def get_monorail_service_account():
"""Get monorail service account credentials."""
client = secretmanager.SecretManagerServiceClient()
response = client.access_secret_version(
f'projects/{_PROJECT_ID}/secrets/monorail-service-account/versions/latest'
)
return json.loads(response.payload.data.decode())
def access_secret_version(project_id=None,
secret_id=None,
version_id='latest'):
"""
Access the payload for the given secret version if one exists. The version
can be a version number as a string (e.g. "5") or an alias (e.g. "latest").
"""
# Import the Secret Manager client library.
from google.cloud import secretmanager
# Create the Secret Manager client.
client = secretmanager.SecretManagerServiceClient()
# if not (project_id):
# project_id = os.environ.get('GOOGLE_CLOUD_PROJECT')
# Build the resource name of the secret version.
name = f"projects/{project_id}/secrets/{secret_id}/versions/{version_id}"
# name = f"projects/{project_id}/secrets/{secret_id}/versions/1"
# Access the secret version.
response = client.access_secret_version(request={"name": name})
# Print the secret payload.
#
# WARNING: Do not print the secret in a production environment - this
# snippet is showing how to access the secret material.
payload = response.payload.data.decode("UTF-8")
return payload
def __init__(
self,
project_id: str,
credentials: Credentials = None,
client_options: ClientOptions = None,
cache_expiration: int = 5 * 60,
interpolate: InterpolateType = False,
) -> None:
"""
Constructor.
See https://googleapis.dev/python/secretmanager/latest/gapic/v1/api.html#google.cloud.secretmanager_v1.SecretManagerServiceClient
for more details on credentials and options.
:param project_id: GCP Project ID
:param credentials: GCP credentials
:param client_options: GCP client_options
:param cache_expiration: Cache expiration (in seconds)
""" # noqa: E501
self._client = secretmanager.SecretManagerServiceClient(
credentials=credentials, client_options=client_options)
self._project_id = project_id
self._parent = self._client.project_path(project_id)
self._cache_expiration = cache_expiration
self._cache: Dict[str, Cache] = {}
self._interpolate = {} if interpolate is True else interpolate
self._default_levels = None
def send_email(recipent, name, actor):
from sendgrid import SendGridAPIClient
from sendgrid.helpers.mail import Mail
from google.cloud import secretmanager
# https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets
# Also make sure the Cloud Function service account has permission to read the
# secret
client = secretmanager.SecretManagerServiceClient()
name = client.secret_version_path(PROJECT_ID, "sendgrid-apikey", "latest")
response = client.access_secret_version(name)
sendgrid_apikey = response.payload.data.decode("UTF-8")
BODY_HTML = f"""<html>
<head></head>
<body>
<h2><p>The storage bucket ({name}) changed by {actor} violates
the curent secruity policy. </p>
<p>It has been correct. Please check the activity logs for details.</p>
<p>Thank you!</p></h2>
</body>
</html>
"""
message = Mail(
from_email=SENDER,
to_emails=recipent,
subject=SUBJECT,
html_content=BODY_HTML,
)
try:
sg = SendGridAPIClient(sendgrid_apikey)
response = sg.send(message)
print(f"Email request sent. Status code: {response.status_code}")
except Exception as e:
print(e)
def __init__(self):
self.client = secretmanager.SecretManagerServiceClient()
self._client_id = None
self._client_secret = None
self._refresh_token = None
self._access_token = None
self._expires_at = None
def fillCache(self):
if (not GRL):
#
# If we're not running locally, we should get the secrets from the secret manager.
#
# this got much more complicated by storing the project id in the datastore.
# we cannot accesss the datastore unless we are in application context but that
# means it's got to be cached somehow if we don't want to have to keep pulling
# it from the datastore on every request. Bleah.
#
GOOGLE_PROJECT_ID = get_project_name()
CLIENT_SECRET_VERSION = os.environ.get(
'CLIENT_SECRET_VERSION') or '1'
from google.cloud import secretmanager
secrets = secretmanager.SecretManagerServiceClient()
secret_path = f"projects/{GOOGLE_PROJECT_ID}/secrets/OAUTH_CLIENT_SECRETS/versions/{CLIENT_SECRET_VERSION}"
theSecret = secrets.access_secret_version(
secret_path).payload.data.decode("utf-8")
client_secrets = json.loads(theSecret)
CLIENT_ID = client_secrets.get("FN_CLIENT_ID")
CLIENT_SECRET = client_secrets.get("FN_CLIENT_SECRET")
if CLIENT_ID is None:
raise RuntimeError(
"We are not running locally, but CLIENT_ID is not set. Dang. Did you mean to set GLOWSCRIPT_RUNNING_LOCALLY?"
)
else:
CLIENT_ID = ''
CLIENT_SECRET = ''
self.cache['CLIENT_ID'] = CLIENT_ID
self.cache['CLIENT_SECRET'] = CLIENT_SECRET
def access_token_version():
"""
Access the payload for the given secret version if one exists. The version
can be a version number as a string (e.g. "5") or an alias (e.g. "latest").
"""
# Import the Secret Manager client library.
from google.cloud import secretmanager
project_id = os.environ.get('PROJECT_ID')
secret_id = os.environ.get('TOKEN_ID')
version_id = os.environ.get('TOKEN_VERSION')
# Create the Secret Manager client.
client = secretmanager.SecretManagerServiceClient()
# Build the resource name of the secret version.
name = client.secret_version_path(project_id, secret_id, version_id)
# Access the secret version.
response = client.access_secret_version(name)
# Print the secret payload.
#
# WARNING: Do not print the secret in a production environment - this
# snippet is showing how to access the secret material.
payload = response.payload.data.decode('UTF-8')
return json.loads(payload)
def create_secret(project_id, secret_id):
credentials = service_account.Credentials.from_service_account_file(
KEY_PATH,
scopes=SCOPES,
)
# Import the Secret Manager client library.
from google.cloud import secretmanager
# Create the Secret Manager client.
client = secretmanager.SecretManagerServiceClient()
# Build the resource name of the parent project.
parent = client.project_path(project_id)
# Create the secret.
response = client.create_secret(
parent, secret_id, {
'replication': {
'user_managed': {
'replicas': [{
'location': 'europe-north1'
}]
},
},
})
# Print the new secret name.
print('Created secret: {}'.format(response.name))
return response
def get_version(secret_id: str, version_name: str = "latest"):
"""
Gets version from GCP's Secret Manager
:param secret_id: Secret to look up
:param version_name: Version of secret to look up
:return: Response
"""
# todo: Nicer error handling
try:
project_id = os.environ["PROJECT_ID"]
except KeyError:
project_id = "bills-app-305000"
client = secretmanager.SecretManagerServiceClient()
parent = f"projects/{project_id}"
name = f"{parent}/secrets/{secret_id}/versions/{version_name}"
#return client.access_secret_version(
# request={"name": name}
# )
response = client.access_secret_version(request={"name": name})
# Print the secret payload.
# WARNING: Do not print the secret in a production environment - this
# snippet is showing how to access the secret material.
return response.payload.data.decode("UTF-8")
def add_secret_version(project_id, secret_id, payload):
"""
Add a new secret version to the given secret with the provided payload.
"""
# Import the Secret Manager client library.
from google.cloud import secretmanager
# Create the Secret Manager client.
client = secretmanager.SecretManagerServiceClient()
# Build the resource name of the parent secret.
parent = client.secret_path(project_id, secret_id)
# Convert the string payload into a bytes. This step can be omitted if you
# pass in bytes instead of a str for the payload argument.
payload = payload.encode('UTF-8')
# Add the secret version.
response = client.add_secret_version(parent, {'data': payload})
# Print the new secret version name.
print('Added secret version: {}'.format(response.name))
# [END secretmanager_add_secret_version]
return response
def get_latest_secret_from_secret_manager(
secret_name: str) -> Union[str, None, Any]:
"""
Access the latest secret for the given secret name.
Parameters>
secret_name (str) : Secret name of the secret.
Returns:
If exists, itreturns the secret value.
I not exists, it returns None
"""
try:
# define parameters and instantiate client
project_id = os.environ.get('GCP_PROJECT')
secret_name = f"projects/{project_id}/secrets/{secret_name}/versions/latest"
SM = secretmanager.SecretManagerServiceClient()
# get response and decode
secret_response = SM.access_secret_version(name=secret_name)
secret_value = secret_response.payload.data.decode("UTF-8")
except Exception as e:
print(e)
secret_value = None
return secret_value
def get_cred_config() -> Dict[str, str]:
if "CLOUD_SQL_CREDENTIALS_SECRET" in os.environ:
name = os.environ["CLOUD_SQL_CREDENTIALS_SECRET"]
client = secretmanager.SecretManagerServiceClient()
response = client.access_secret_version(request={"name": name})
logger.info("Credentials pulled from CLOUD_SQL_CREDENTIALS_SECRET")
return json.loads(response.payload.data.decode("UTF-8"))
# [END cloudrun_user_auth_secrets]
else:
logger.info(
"CLOUD_SQL_CREDENTIALS_SECRET env var not set. Defaulting to environment variables."
)
if "DB_USER" not in os.environ:
raise Exception("DB_USER needs to be set.")
if "DB_PASSWORD" not in os.environ:
raise Exception("DB_PASSWORD needs to be set.")
if "DB_NAME" not in os.environ:
raise Exception("DB_NAME needs to be set.")
if "CLOUD_SQL_CONNECTION_NAME" not in os.environ:
raise Exception("CLOUD_SQL_CONNECTION_NAME needs to be set.")
return {
"DB_USER": os.environ["DB_USER"],
"DB_PASSWORD": os.environ["DB_PASSWORD"],
"DB_NAME": os.environ["DB_NAME"],
"DB_HOST": os.environ.get("DB_HOST", None),
"CLOUD_SQL_CONNECTION_NAME": os.environ["CLOUD_SQL_CONNECTION_NAME"],
}
def get_client_secret():
"""
To enable iam role access (for service accounts) to the secret, run the following:
gcloud beta secrets add-iam-policy-binding client_secret
--role roles/secretmanager.secretAccessor
--member serviceAccount:[email protected]
:return: content of client secret string
"""
# Import the Secret Manager client library.
from google.cloud import secretmanager
# GCP project in which to store secrets in Secret Manager.
project_id = 'influencer-272204'
# ID of the secret to create.
secret_id = 'client_secret'
# Create the Secret Manager client.
client = secretmanager.SecretManagerServiceClient()
# Build the parent name from the project.
# parent = client.project_path(project_id)
resource_name = f"projects/{project_id}/secrets/{secret_id}/versions/latest"
response = client.access_secret_version(resource_name)
secret_string = response.payload.data.decode('UTF-8')
return secret_string
def get_secret_by_uri(secret_uri, decode=True):
"""
Gets a secret from GCP and returns it either as decoded
utf-8 or raw bytes (depending on ``decode`` parameter).
Executing account must have (at least) secret version
accessor permissions on the secret.
.. code:: python
from bibtutils.gcp.secrets import get_secret_by_uri
secret = get_secret_by_uri(
'projects/my_project/secrets/my_secret/versions/latest'
)
print(secret)
:type secret_uri: :py:class:`str`
:param secret_uri: the uri of the secret to fetch. secret uri format:
``'projects/{host_project}/secrets/{secret_name}/versions/latest'``
:type decode: :py:class:`bool`
:param decode: (Optional) whether or not to decode the bytes.
Defaults to ``True``.
:rtype: :py:class:`bytes` OR :py:class:`str`
:returns: the secret data.
"""
logging.info(f"Getting secret: {secret_uri}")
client = secretmanager.SecretManagerServiceClient()
secret = client.access_secret_version(request={
"name": secret_uri
},
timeout=3).payload.data
if decode:
return secret.decode("utf-8")
return secret
def list_secrets_with_filter(project_id, filter_str):
"""
List all secrets in the given project.
Args:
project_id: Parent project id
filter_str: Secret filter, constructing according to
https://cloud.google.com/secret-manager/docs/filtering
"""
# Import the Secret Manager client library.
from google.cloud import secretmanager
# Create the Secret Manager client.
client = secretmanager.SecretManagerServiceClient()
# Build the resource name of the parent project.
parent = f"projects/{project_id}"
# List all secrets.
for secret in client.list_secrets(request={
"parent": parent,
"filter": filter_str
}):
print("Found secret: {}".format(secret.name))
def access_secret_version(project_id, secret_id, version_id):
"""
Access the payload for the given secret version if one exists. The version
can be a version number as a string (e.g. "5") or an alias (e.g. "latest").
"""
# Import the Secret Manager client library.
from google.cloud import secretmanager
# Create the Secret Manager client.
client = secretmanager.SecretManagerServiceClient()
# Build the resource name of the secret version.
name = f"projects/{project_id}/secrets/{secret_id}/versions/{version_id}"
# Access the secret version.
response = client.access_secret_version(request={"name": name})
# Print the secret payload.
#
# WARNING: Do not print the secret in a production environment - this
# snippet is showing how to access the secret material.
payload = response.payload.data.decode("UTF-8")
print("Plaintext: {}".format(payload))
# [END secretmanager_access_secret_version]
return response
def get_latest_secret(secret_name):
"""
Function to get the latest secret by name.
"""
# Set GCP Secret Manager vars
secret_project = getenv('S_PROJECT')
secret_version = getenv('S_VERSION', "latest")
# Create the Secret Manager client.
client = secretmanager.SecretManagerServiceClient()
# Set the secret location
secret_location = client.secret_version_path(secret_project, secret_name,
secret_version)
# Get the secret to use
try:
print(f"Getting {secret_name} secret.")
response = client.access_secret_version(name=f"{secret_location}")
decoded_secret = response.payload.data.decode('UTF-8').rstrip()
return decoded_secret
except exceptions.FailedPrecondition as e:
print(e)
raise
def _access_secret_version(project_id: str, secret_id: str,
version_id: str) -> str:
"""
Access the payload for the given secret version if one exists. The version
can be a version number as a string (e.g. "5") or an alias (e.g. "latest").
Notes:
This function authenticates with GCP using credential of the default service
account of App Engine. This credential is provided automatically IN App Engine.
Therefore, if you want to run this in external environment (e.g. locally), you
have to set variable GOOGLE_APPLICATION_CREDENTIALS to the path of json key file.
"""
# Create the Secret Manager client.
# Credential is automatically provided by App Engine
client = secretmanager.SecretManagerServiceClient()
# Build the resource name of the secret version.
name = f"projects/{project_id}/secrets/{secret_id}/versions/{version_id}"
# Access the secret version.
response = client.access_secret_version(request={"name": name})
# Print the secret payload.
#
# WARNING: Do not print the secret in a production environment - this
# snippet is showing how to access the secret material.
payload = response.payload.data.decode("UTF-8")
return payload
def iam_grant_access(project_id, secret_id, member):
"""
Grant the given member access to a secret.
"""
# Import the Secret Manager client library.
from google.cloud import secretmanager
# Create the Secret Manager client.
client = secretmanager.SecretManagerServiceClient()
# Build the resource name of the secret.
name = client.secret_path(project_id, secret_id)
# Get the current IAM policy.
policy = client.get_iam_policy(name)
# Add the given member with access permissions.
policy.bindings.add(
role='roles/secretmanager.secretAccessor',
members=[member])
# Update the IAM Policy.
new_policy = client.set_iam_policy(name, policy)
# Print data about the secret.
print('Updated IAM policy on {}'.format(secret_id))
# [END secretmanager_iam_grant_access]
return new_policy
def get_azure_app_secret():
client = secretmanager.SecretManagerServiceClient()
secret_name = client.secret_version_path(os.environ["PROJECT_ID"],
"azure-app-secret", "latest")
return client.access_secret_version(request={
"name": secret_name
}).payload.data.decode("UTF-8")
def add_secret_version(project_id, secret_id, payload):
# Import the Secret Manager client library.
from google.cloud import secretmanager
# Create the Secret Manager client.
client = secretmanager.SecretManagerServiceClient()
# Build the resource name of the parent secret.
parent = client.secret_path(project_id, secret_id)
# Convert the string payload into a bytes. This step can be omitted if you
# pass in bytes instead of a str for the payload argument.
payload = payload.encode("UTF-8")
# Add the secret version.
response = client.add_secret_version(request={
"parent": parent,
"payload": {
"data": payload
}
})
# Print the new secret version name.
print("Added secret version: {}".format(response.name))
# [END secretmanager_add_secret_version]
return response
def __init__(self):
self.project_id = os.getenv("GOOGLE_PROJECT_ID")
self.version_id = os.getenv("CN_CONFIG_GOOGLE_SECRET_VERSION_ID", "latest")
# secrets key value by default
self.google_secret_name = os.getenv("CN_CONFIG_GOOGLE_SECRET_NAME_PREFIX", "jans") + "-configuration"
# Create the Secret Manager client.
self.client = secretmanager.SecretManagerServiceClient()
def destroy_secret_version_with_etag(project_id, secret_id, version_id, etag):
"""
Destroy the given secret version, making the payload irrecoverable. Other
secrets versions are unaffected.
"""
# Import the Secret Manager client library.
from google.cloud import secretmanager
from google.cloud.secretmanager_v1.types import service
# Create the Secret Manager client.
client = secretmanager.SecretManagerServiceClient()
# Build the resource name of the secret version
name = f"projects/{project_id}/secrets/{secret_id}/versions/{version_id}"
# Build the request
request = service.DestroySecretVersionRequest()
request.name = name
request.etag = etag
# Destroy the secret version.
response = client.destroy_secret_version(request=request)
print("Destroyed secret version: {}".format(response.name))
# [END secretmanager_destroy_secret_version_with_etag]
return response
def access_secret_version(secret_version_id):
from google.cloud import secretmanager
client = secretmanager.SecretManagerServiceClient()
response = client.access_secret_version(name=secret_version_id)
return response.payload.data.decode('UTF-8')