def get_access_token(secret_path):
"""Conditionally create an access token with the minimum necessary scopes.
When run as a Cloud Function, a service account's JSON credentials file from Secret Manager
is used to populate the access token. When run locally, either the service account JSON key file or the
application default credential is used to populate the access token.
Args:
secret_path: The 'Resource ID' of the service account key stored in Secret Manager. Or, if
testing locally, the filepath to the JSON key for the service account.
Returns:
An access token.
"""
scopes = [
"https://www.googleapis.com/auth/userinfo.profile",
"https://www.googleapis.com/auth/userinfo.email"
]
if not secret_path: # Running locally as a user.
credentials = GoogleCredentials.get_application_default()
credentials = credentials.create_scoped(scopes)
elif os.path.isfile(
secret_path): # Running locally as the service account.
credentials = ServiceAccountCredentials.from_json_keyfile_name(
secret_path, scopes=scopes)
else: # Running inside the Cloud Function.
# Retrieve the secret from the secret manager API.
client = SecretManagerServiceClient()
response = client.access_secret_version(secret_path)
service_account_key = response.payload.data.decode("utf-8")
json_acct_info = json.loads(service_account_key)
credentials = ServiceAccountCredentials.from_json_keyfile_dict(
json_acct_info, scopes=scopes)
return credentials.get_access_token().access_token
class SecretManager:
"""SecretManager class."""
def __init__(self, project=None):
"""Initialize a class instance."""
if project is None:
project = os.environ['GCP_PROJECT']
# set the project - defaults to current project
self.project = project
# create a secret manager service client
self.client = SecretManagerServiceClient()
def get_secret(self, secret_name, version="latest"):
"""Return the decoded payload of a secret version.
Arguments:
secret_name {string} -- The name of the secret to be retrieved.
version {string} -- Version of the secret to be retrieved. Default: "latest".
Returns:
string -- Decoded secret.
"""
# generate the path to the key
# secret_path = projects/{project}/secrets/{secret_name}/versions/{version}
secret_path = self.client.secret_version_path(self.project,
secret_name, version)
# retrieve the secret from the secret manager api
response = self.client.access_secret_version(secret_path)
# return the decoded payload data of the secret version
return response.payload.data.decode("utf-8")
def __init__(self, project=None):
"""Initialize a class instance."""
if project is None:
project = os.environ['GCP_PROJECT']
# set the project - defaults to current project
self.project = project
# create a secret manager service client
self.client = SecretManagerServiceClient()
def client(self) -> SecretManagerServiceClient:
"""Create an authenticated KMS client"""
_client = SecretManagerServiceClient(
credentials=self.credentials,
client_info=ClientInfo(client_library_version='airflow_v' +
version))
return _client
def client(self) -> SecretManagerServiceClient:
"""
Create an authenticated KMS client
"""
scopes = _get_scopes(self.gcp_scopes)
self.credentials, self.project_id = get_credentials_and_project_id(
key_path=self.gcp_key_path, scopes=scopes)
_client = SecretManagerServiceClient(
credentials=self.credentials,
client_info=ClientInfo(client_library_version='airflow_v' +
version.version))
return _client
def client(self) -> SecretManagerServiceClient:
"""Create an authenticated KMS client"""
_client = SecretManagerServiceClient(credentials=self.credentials,
client_info=CLIENT_INFO)
return _client