Esempio n. 1
0
def get_access_token(secret_path):
    """Conditionally create an access token with the minimum necessary scopes.

    When run as a Cloud Function, a service account's JSON credentials file from Secret Manager
    is used to populate the access token. When run locally, either the service account JSON key file or the
    application default credential is used to populate the access token.

    Args:
      secret_path: The 'Resource ID' of the service account key stored in Secret Manager. Or, if
        testing locally, the filepath to the JSON key for the service account.
    Returns:
      An access token.
    """
    scopes = [
        "https://www.googleapis.com/auth/userinfo.profile",
        "https://www.googleapis.com/auth/userinfo.email"
    ]

    if not secret_path:  # Running locally as a user.
        credentials = GoogleCredentials.get_application_default()
        credentials = credentials.create_scoped(scopes)
    elif os.path.isfile(
            secret_path):  # Running locally as the service account.
        credentials = ServiceAccountCredentials.from_json_keyfile_name(
            secret_path, scopes=scopes)
    else:  # Running inside the Cloud Function.
        # Retrieve the secret from the secret manager API.
        client = SecretManagerServiceClient()
        response = client.access_secret_version(secret_path)
        service_account_key = response.payload.data.decode("utf-8")
        json_acct_info = json.loads(service_account_key)
        credentials = ServiceAccountCredentials.from_json_keyfile_dict(
            json_acct_info, scopes=scopes)

    return credentials.get_access_token().access_token
Esempio n. 2
0
class SecretManager:
    """SecretManager class."""
    def __init__(self, project=None):
        """Initialize a class instance."""
        if project is None:
            project = os.environ['GCP_PROJECT']
        # set the project - defaults to current project
        self.project = project

        # create a secret manager service client
        self.client = SecretManagerServiceClient()

    def get_secret(self, secret_name, version="latest"):
        """Return the decoded payload of a secret version.

        Arguments:
            secret_name {string} -- The name of the secret to be retrieved.
            version {string} -- Version of the secret to be retrieved. Default: "latest".

        Returns:
            string -- Decoded secret.

        """
        # generate the path to the key
        # secret_path = projects/{project}/secrets/{secret_name}/versions/{version}
        secret_path = self.client.secret_version_path(self.project,
                                                      secret_name, version)

        # retrieve the secret from the secret manager api
        response = self.client.access_secret_version(secret_path)

        # return the decoded payload data of the secret version
        return response.payload.data.decode("utf-8")
Esempio n. 3
0
    def __init__(self, project=None):
        """Initialize a class instance."""
        if project is None:
            project = os.environ['GCP_PROJECT']
        # set the project - defaults to current project
        self.project = project

        # create a secret manager service client
        self.client = SecretManagerServiceClient()
 def client(self) -> SecretManagerServiceClient:
     """Create an authenticated KMS client"""
     _client = SecretManagerServiceClient(
         credentials=self.credentials,
         client_info=ClientInfo(client_library_version='airflow_v' +
                                version))
     return _client
 def client(self) -> SecretManagerServiceClient:
     """
     Create an authenticated KMS client
     """
     scopes = _get_scopes(self.gcp_scopes)
     self.credentials, self.project_id = get_credentials_and_project_id(
         key_path=self.gcp_key_path, scopes=scopes)
     _client = SecretManagerServiceClient(
         credentials=self.credentials,
         client_info=ClientInfo(client_library_version='airflow_v' +
                                version.version))
     return _client
Esempio n. 6
0
 def client(self) -> SecretManagerServiceClient:
     """Create an authenticated KMS client"""
     _client = SecretManagerServiceClient(credentials=self.credentials,
                                          client_info=CLIENT_INFO)
     return _client