def _destroy_service_account_creds(self, service_account_email):
try:
creds = self.secrets_manager.get_secret_value(
SecretId=config.secrets_manager_secret_name(
'google_service_account'))
except ClientError as e:
if e.response['Error']['Code'] == 'ResourceNotFoundException':
logger.info('Secret already deleted, cannot get key_id for %s',
service_account_email)
return
else:
raise
else:
key_id = json.loads(creds['SecretString'])['private_key_id']
service = get_google_service()
try:
service.projects().serviceAccounts().keys().delete(
name='projects/-/serviceAccounts/' +
service_account_email + '/keys/' + key_id).execute()
except HttpError as e:
if e.resp.reason != 'Not Found':
raise
logger.info(
"Successfully deleted service account key with id '%s' for user '%s'",
key_id, service_account_email)
def provision_hmac(self, build):
secret_name = config.secrets_manager_secret_name('indexer', 'hmac')
if build:
self._create_secret(secret_name)
if not self._secret_is_stored(secret_name):
self._write_secret_value(secret_name, self._random_hmac_key())
else:
self._destroy_aws_secrets_manager_secret(secret_name)
def provision_google(self, build, email, secret_name):
secret_name = config.secrets_manager_secret_name(secret_name)
if build:
self._create_secret(secret_name)
if not self._secret_is_stored(secret_name):
google_key = self._create_service_account_creds(email)
self._write_secret_value(secret_name, google_key)
else:
self._destroy_service_account_creds(email, secret_name)
self._destroy_aws_secrets_manager_secret(secret_name)
def service_account_credentials(self):
"""
A context manager that patches the GOOGLE_APPLICATION_CREDENTIALS
environment variable to point to a file containing the credentials of
the Google service account that represents the Azul deployment. The
returned context is the name of a temporary file containing the
credentials.
"""
secret_name = config.secrets_manager_secret_name(
'google_service_account')
secret = self._service_account_creds(secret_name)['SecretString']
with tempfile.NamedTemporaryFile(mode='w+') as f:
f.write(secret)
f.flush()
with patch.dict(os.environ, GOOGLE_APPLICATION_CREDENTIALS=f.name):
yield f.name
def service_account_credentials(self,
service_account: config.ServiceAccount):
"""
A context manager that provides a temporary file containing the
credentials of the Google service account that represents the Azul
deployment. The returned context is the path to the file.
While the context manager is active, accidental usage of the default
credentials is prevented by patching the environment variable
GOOGLE_APPLICATION_CREDENTIALS to the empty string.
"""
secret_name = config.secrets_manager_secret_name(
service_account.secret_name)
secret = self._service_account_creds(secret_name)['SecretString']
with tempfile.NamedTemporaryFile(mode='w+') as f:
f.write(secret)
f.flush()
with patch.dict(os.environ, GOOGLE_APPLICATION_CREDENTIALS=''):
yield f.name
def get_hmac_key_and_id(self):
# Note: dict contains 'key' and 'key_id' as keys and is provisioned in scripts/provision_credentials.py
response = self.secretsmanager.get_secret_value(
SecretId=config.secrets_manager_secret_name('indexer', 'hmac'))
secret_dict = json.loads(response['SecretString'])
return secret_dict['key'], secret_dict['key_id']