def get_secret(project_id, secret_id):
"""
Get information about the given secret. This only returns metadata about
the secret container, not any secret material.
"""
# Import the Secret Manager client library.
from google.cloud import secretmanager_v1beta1 as secretmanager
# Create the Secret Manager client.
client = secretmanager.SecretManagerServiceClient()
# Build the resource name of the secret.
name = client.secret_path(project_id, secret_id)
# Delete the secret.
response = client.get_secret(name)
# Get the replication policy.
if response.replication.automatic:
replication = 'AUTOMATIC'
elif response.replication.user_managed:
replication = 'MANAGED'
else:
raise 'Unknown replication {}'.format(response.replication)
# Print data about the secret.
print('Got secret {} with replication policy {}'.format(
response.name, replication))
# [END secretmanager_get_secret]
return response
def test_update_secret(self):
# Setup Expected Response
name = "name3373707"
expected_response = {"name": name}
expected_response = resources_pb2.Secret(**expected_response)
# Mock the API response
channel = ChannelStub(responses=[expected_response])
patch = mock.patch("google.api_core.grpc_helpers.create_channel")
with patch as create_channel:
create_channel.return_value = channel
client = secretmanager_v1beta1.SecretManagerServiceClient()
# Setup Request
secret = {}
update_mask = {}
response = client.update_secret(secret, update_mask)
assert expected_response == response
assert len(channel.requests) == 1
expected_request = service_pb2.UpdateSecretRequest(
secret=secret, update_mask=update_mask)
actual_request = channel.requests[0][1]
assert expected_request == actual_request
def add_secret_version(project_id, secret_id, payload):
"""
Add a new secret version to the given secret with the provided payload.
"""
# Import the Secret Manager client library.
from google.cloud import secretmanager_v1beta1 as secretmanager
# Create the Secret Manager client.
client = secretmanager.SecretManagerServiceClient()
# Build the resource name of the parent secret.
parent = client.secret_path(project_id, secret_id)
# Convert the string payload into a bytes. This step can be omitted if you
# pass in bytes instead of a str for the payload argument.
payload = payload.encode('UTF-8')
# Add the secret version.
response = client.add_secret_version(parent, {'data': payload})
# Print the new secret version name.
print('Added secret version: {}'.format(response.name))
# [END secretmanager_add_secret_version]
return response
def create_secret(ctx, env, location, keyring, keyname, secret_name, plaintext):
"""
jeeves crypt create-secret ENV LOCATION KEYRING KEYNAME SECRET_NAME PLAINTExT
env = local, dev, tst, prd
location = 'us-west3', 'us-west2', etc
Encodes the plaintext secret and writes it to gcloud secrets
"""
encoded = ctx.invoke(encode_secret,
env=env,
location=location,
keyring=keyring,
keyname=keyname,
plaintext=plaintext)
client = secretmanager.SecretManagerServiceClient()
path = client.secret_path(gcloud.project(env), secret_name)
try:
version = client.add_secret_version(path, {'data': encoded.encode('utf-8')})
except NotFound:
client.create_secret(client.project_path(gcloud.project(env)), secret_name, {
'replication': {
'automatic': {},
},
})
version = client.add_secret_version(path, {'data': encoded.encode('utf-8')})
assert version is not None
def create_secret(project_id, secret_id):
"""
Create a new secret with the given name. A secret is a logical wrapper
around a collection of secret versions. Secret versions hold the actual
secret material.
"""
# Import the Secret Manager client library.
from google.cloud import secretmanager_v1beta1 as secretmanager
# Create the Secret Manager client.
client = secretmanager.SecretManagerServiceClient()
# Build the resource name of the parent project.
parent = client.project_path(project_id)
# Create the secret.
response = client.create_secret(parent, secret_id, {
'replication': {
'automatic': {},
},
})
# Print the new secret name.
print('Created secret: {}'.format(response.name))
def iam_revoke_access(project_id, secret_id, member):
"""
Revoke the given member access to a secret.
"""
# Import the Secret Manager client library.
from google.cloud import secretmanager_v1beta1 as secretmanager
# Create the Secret Manager client.
client = secretmanager.SecretManagerServiceClient()
# Build the resource name of the secret.
name = client.secret_path(project_id, secret_id)
# Get the current IAM policy.
policy = client.get_iam_policy(name)
# Remove the given member's access permissions.
accessRole = 'roles/secretmanager.secretAccessor'
for b in list(policy.bindings):
if b.role == accessRole and member in b.members:
b.members.remove(member)
# Update the IAM Policy.
new_policy = client.set_iam_policy(name, policy)
# Print data about the secret.
print('Updated IAM policy on {}'.format(secret_id))
# [END secretmanager_iam_revoke_access]
return new_policy
def test_create_secret(self):
# Setup Expected Response
name = "name3373707"
expected_response = {"name": name}
expected_response = resources_pb2.Secret(**expected_response)
# Mock the API response
channel = ChannelStub(responses=[expected_response])
patch = mock.patch("google.api_core.grpc_helpers.create_channel")
with patch as create_channel:
create_channel.return_value = channel
client = secretmanager_v1beta1.SecretManagerServiceClient()
# Setup Request
parent = client.project_path("[PROJECT]")
secret_id = "secretId-739547894"
response = client.create_secret(parent, secret_id)
assert expected_response == response
assert len(channel.requests) == 1
expected_request = service_pb2.CreateSecretRequest(parent=parent,
secret_id=secret_id)
actual_request = channel.requests[0][1]
assert expected_request == actual_request
def test_get_iam_policy(self):
# Setup Expected Response
version = 351608024
etag = b"21"
expected_response = {"version": version, "etag": etag}
expected_response = policy_pb2.Policy(**expected_response)
# Mock the API response
channel = ChannelStub(responses=[expected_response])
patch = mock.patch("google.api_core.grpc_helpers.create_channel")
with patch as create_channel:
create_channel.return_value = channel
client = secretmanager_v1beta1.SecretManagerServiceClient()
# Setup Request
resource = "resource-341064690"
response = client.get_iam_policy(resource)
assert expected_response == response
assert len(channel.requests) == 1
expected_request = iam_policy_pb2.GetIamPolicyRequest(
resource=resource)
actual_request = channel.requests[0][1]
assert expected_request == actual_request
def test_test_iam_permissions(self):
# Setup Expected Response
expected_response = {}
expected_response = iam_policy_pb2.TestIamPermissionsResponse(
**expected_response)
# Mock the API response
channel = ChannelStub(responses=[expected_response])
patch = mock.patch("google.api_core.grpc_helpers.create_channel")
with patch as create_channel:
create_channel.return_value = channel
client = secretmanager_v1beta1.SecretManagerServiceClient()
# Setup Request
resource = "resource-341064690"
permissions = []
response = client.test_iam_permissions(resource, permissions)
assert expected_response == response
assert len(channel.requests) == 1
expected_request = iam_policy_pb2.TestIamPermissionsRequest(
resource=resource, permissions=permissions)
actual_request = channel.requests[0][1]
assert expected_request == actual_request
def main():
access_token = os.getenv(ACCESS_TOKEN_ENV_VARIABLE)
if not access_token:
project_id = 'cirq-infra'
print('{} not set. Trying secret manager.'.format(
ACCESS_TOKEN_ENV_VARIABLE),
file=sys.stderr)
client = secretmanager_v1beta1.SecretManagerServiceClient()
secret_name = (f'projects/{project_id}/'
f'secrets/cirq-bot-api-key/versions/1')
response = client.access_secret_version(name=secret_name)
access_token = response.payload.data.decode('UTF-8')
repo = GithubRepository(
organization=GITHUB_REPO_ORGANIZATION,
name=GITHUB_REPO_NAME,
access_token=access_token)
log('Watching for automergeable PRs.')
problem_seen_times = {} # type: Dict[int, datetime.datetime]
while True:
try:
duty_cycle(repo, problem_seen_times)
except Exception: # Anything but a keyboard interrupt / system exit.
traceback.print_exc()
wait_for_polling_period()
def test_list_secrets(self):
# Setup Expected Response
next_page_token = ""
total_size = 705419236
secrets_element = {}
secrets = [secrets_element]
expected_response = {
"next_page_token": next_page_token,
"total_size": total_size,
"secrets": secrets,
}
expected_response = service_pb2.ListSecretsResponse(
**expected_response)
# Mock the API response
channel = ChannelStub(responses=[expected_response])
patch = mock.patch("google.api_core.grpc_helpers.create_channel")
with patch as create_channel:
create_channel.return_value = channel
client = secretmanager_v1beta1.SecretManagerServiceClient()
# Setup Request
parent = client.project_path("[PROJECT]")
paged_list_response = client.list_secrets(parent)
resources = list(paged_list_response)
assert len(resources) == 1
assert expected_response.secrets[0] == resources[0]
assert len(channel.requests) == 1
expected_request = service_pb2.ListSecretsRequest(parent=parent)
actual_request = channel.requests[0][1]
assert expected_request == actual_request
def get_secret(project_id, secret_id, version="latest"):
client = secretmanager.SecretManagerServiceClient()
name = client.secret_version_path(project_id, secret_id, version)
version = client.access_secret_version(name)
return version.payload.data.decode('utf-8')
def access_secret_version(project_id, secret_id, version_id="latest"):
"""
Access the payload for the given secret version if one exists. The version
can be a version number as a string (e.g. "5") or an alias (e.g. "latest").
"""
# Import the Secret Manager client library.
from google.cloud import secretmanager_v1beta1 as secretmanager
# Create the Secret Manager client.
client = secretmanager.SecretManagerServiceClient()
# Build the resource name of the secret version.
name = client.secret_version_path(project_id, secret_id, version_id)
# Access the secret version.
response = client.access_secret_version(name)
# Print the secret payload.
#
# WARNING: Do not print the secret in a production environment - this
# snippet is showing how to access the secret material.
payload = response.payload.data.decode("UTF-8")
# print('Plaintext: {}'.format(payload))
return payload
def iam_grant_access(project_id, secret_id, member):
"""
Grant the given member access to a secret.
"""
# Import the Secret Manager client library.
from google.cloud import secretmanager_v1beta1 as secretmanager
# Create the Secret Manager client.
client = secretmanager.SecretManagerServiceClient()
# Build the resource name of the secret.
name = client.secret_path(project_id, secret_id)
# Get the current IAM policy.
policy = client.get_iam_policy(name)
# Add the given member with access permissions.
policy.bindings.add(role='roles/secretmanager.secretAccessor',
members=[member])
# Update the IAM Policy.
new_policy = client.set_iam_policy(name, policy)
# Print data about the secret.
print('Updated IAM policy on {}'.format(secret_id))
# [END secretmanager_iam_grant_access]
return new_policy
def test_access_secret_version(self):
# Setup Expected Response
name_2 = "name2-1052831874"
expected_response = {"name": name_2}
expected_response = service_pb2.AccessSecretVersionResponse(
**expected_response)
# Mock the API response
channel = ChannelStub(responses=[expected_response])
patch = mock.patch("google.api_core.grpc_helpers.create_channel")
with patch as create_channel:
create_channel.return_value = channel
client = secretmanager_v1beta1.SecretManagerServiceClient()
# Setup Request
name = client.secret_version_path("[PROJECT]", "[SECRET]",
"[SECRET_VERSION]")
response = client.access_secret_version(name)
assert expected_response == response
assert len(channel.requests) == 1
expected_request = service_pb2.AccessSecretVersionRequest(name=name)
actual_request = channel.requests[0][1]
assert expected_request == actual_request
def test_add_secret_version(self):
# Setup Expected Response
name = "name3373707"
expected_response = {"name": name}
expected_response = resources_pb2.SecretVersion(**expected_response)
# Mock the API response
channel = ChannelStub(responses=[expected_response])
patch = mock.patch("google.api_core.grpc_helpers.create_channel")
with patch as create_channel:
create_channel.return_value = channel
client = secretmanager_v1beta1.SecretManagerServiceClient()
# Setup Request
parent = client.secret_path("[PROJECT]", "[SECRET]")
payload = {}
response = client.add_secret_version(parent, payload)
assert expected_response == response
assert len(channel.requests) == 1
expected_request = service_pb2.AddSecretVersionRequest(parent=parent,
payload=payload)
actual_request = channel.requests[0][1]
assert expected_request == actual_request
def __init__(self):
import google.auth
from google.cloud import secretmanager_v1beta1 as sm
_, project = google.auth.default()
if project:
self._client = sm.SecretManagerServiceClient()
self._project = project
else:
raise RuntimeError("Could get default GCP project")
def access_secret_version(project_id, secret_id, version_id):
"""
Accesses the payload for the given secret version if one exists. The version
can be a version number as a string (e.g. "5") or an alias (e.g. "latest").
"""
client = secretmanager.SecretManagerServiceClient()
name = client.secret_version_path(project_id, secret_id, version_id)
response = client.access_secret_version(name)
payload = response.payload.data.decode('UTF-8')
return payload
def access_secret_bytes(secret_name):
"""
Access the payload string for the latest secret version if one exists. See
https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets#secretmanager-access-secret-version-python
"""
client = secretmanager.SecretManagerServiceClient()
project_id = "294417890851"
secret_version = "latest"
name = client.secret_version_path(project_id, secret_name, secret_version)
response = client.access_secret_version(name)
return response.payload.data
def createsuperuser(apps, schema_editor):
# Retrieve secret from Secret Manager
_, project = google.auth.default()
client = sm.SecretManagerServiceClient()
path = client.secret_version_path(project, "admin_password", "latest")
admin_password = client.access_secret_version(path).payload.data.decode("UTF-8")
# Create a new user using acquired password
from django.contrib.auth.models import User
User.objects.create_superuser("admin", password=admin_password)
def get_secret(project_name, secret_name, version_num):
"""
Returns secret payload from Cloud Secret Manager
"""
try:
client = secretmanager_v1beta1.SecretManagerServiceClient()
name = client.secret_version_path(project_name, secret_name,
version_num)
secret = client.access_secret_version(name)
return secret.payload.data
except Exception as e:
print(e)
def test_get_iam_policy_exception(self):
# Mock the API response
channel = ChannelStub(responses=[CustomException()])
patch = mock.patch("google.api_core.grpc_helpers.create_channel")
with patch as create_channel:
create_channel.return_value = channel
client = secretmanager_v1beta1.SecretManagerServiceClient()
# Setup request
resource = "resource-341064690"
with pytest.raises(CustomException):
client.get_iam_policy(resource)
def test_delete_secret_exception(self):
# Mock the API response
channel = ChannelStub(responses=[CustomException()])
patch = mock.patch("google.api_core.grpc_helpers.create_channel")
with patch as create_channel:
create_channel.return_value = channel
client = secretmanager_v1beta1.SecretManagerServiceClient()
# Setup request
name = client.secret_path("[PROJECT]", "[SECRET]")
with pytest.raises(CustomException):
client.delete_secret(name)
def test_list_secret_versions_exception(self):
channel = ChannelStub(responses=[CustomException()])
patch = mock.patch("google.api_core.grpc_helpers.create_channel")
with patch as create_channel:
create_channel.return_value = channel
client = secretmanager_v1beta1.SecretManagerServiceClient()
# Setup request
parent = client.secret_path("[PROJECT]", "[SECRET]")
paged_list_response = client.list_secret_versions(parent)
with pytest.raises(CustomException):
list(paged_list_response)
def test_create_secret_exception(self):
# Mock the API response
channel = ChannelStub(responses=[CustomException()])
patch = mock.patch("google.api_core.grpc_helpers.create_channel")
with patch as create_channel:
create_channel.return_value = channel
client = secretmanager_v1beta1.SecretManagerServiceClient()
# Setup request
parent = client.project_path("[PROJECT]")
secret_id = "secretId-739547894"
with pytest.raises(CustomException):
client.create_secret(parent, secret_id)
def test_update_secret_exception(self):
# Mock the API response
channel = ChannelStub(responses=[CustomException()])
patch = mock.patch("google.api_core.grpc_helpers.create_channel")
with patch as create_channel:
create_channel.return_value = channel
client = secretmanager_v1beta1.SecretManagerServiceClient()
# Setup request
secret = {}
update_mask = {}
with pytest.raises(CustomException):
client.update_secret(secret, update_mask)
def access_secret(secret_key):
if settings.LOCAL_DEVELOPMENT:
return os.environ[secret_key]
else:
import google.auth
from google.cloud import secretmanager_v1beta1 as sm
_, project = google.auth.default()
client = sm.SecretManagerServiceClient()
path = client.secret_version_path(project, secret_key, "latest")
payload = client.access_secret_version(path).payload.data.decode(
"UTF-8")
return payload
def access_secrets(secret_keys):
secrets = {}
_, project = google.auth.default()
if project:
client = sm.SecretManagerServiceClient()
for s in secret_keys:
path = client.secret_version_path(project, s, "latest")
payload = client.access_secret_version(path).payload.data.decode(
"UTF-8")
secrets[s] = payload
return secrets
def get_secret_value(secret_id, default=None, raise_exception=True):
try:
version_id = 1
client = secretmanager.SecretManagerServiceClient()
name = client.secret_version_path(project_id, secret_id, version_id)
response = client.access_secret_version(name)
return response.payload.data.decode('UTF-8')
except google.api_core.exceptions.NotFound:
if default is None and raise_exception:
raise
return default
def KeyGen(keyfile):
# Connect to the secret manager in GCP to generate the local copy of the GCP Service Account key file
client = secretmanager.SecretManagerServiceClient()
# Variables for the GCP secret and project names defined in the Dockerfile
secret_name = os.environ['GCP_SECRET']
project_id = os.environ['GCP_PROJECT']
# Define the path and version of the secret. Update the version number if needed
secret_name = f"projects/{project_id}/secrets/{secret_name}/versions/1"
response = client.access_secret_version(secret_name)
secret_string = response.payload.data.decode('UTF-8')
print('Secret accessed and generating service key')
# Write the contents of the GCP secret to a local json file. The key file and path is passed from the 'GCP_KEYFILE' environment variable defined in the Dockerfile
with open(keyfile, 'w') as outfile:
outfile.write(secret_string)
print('Service account key created')
