def get_secret(project_id, secret_id): """ Get information about the given secret. This only returns metadata about the secret container, not any secret material. """ # Import the Secret Manager client library. from google.cloud import secretmanager_v1beta1 as secretmanager # Create the Secret Manager client. client = secretmanager.SecretManagerServiceClient() # Build the resource name of the secret. name = client.secret_path(project_id, secret_id) # Delete the secret. response = client.get_secret(name) # Get the replication policy. if response.replication.automatic: replication = 'AUTOMATIC' elif response.replication.user_managed: replication = 'MANAGED' else: raise 'Unknown replication {}'.format(response.replication) # Print data about the secret. print('Got secret {} with replication policy {}'.format( response.name, replication)) # [END secretmanager_get_secret] return response
def test_update_secret(self): # Setup Expected Response name = "name3373707" expected_response = {"name": name} expected_response = resources_pb2.Secret(**expected_response) # Mock the API response channel = ChannelStub(responses=[expected_response]) patch = mock.patch("google.api_core.grpc_helpers.create_channel") with patch as create_channel: create_channel.return_value = channel client = secretmanager_v1beta1.SecretManagerServiceClient() # Setup Request secret = {} update_mask = {} response = client.update_secret(secret, update_mask) assert expected_response == response assert len(channel.requests) == 1 expected_request = service_pb2.UpdateSecretRequest( secret=secret, update_mask=update_mask) actual_request = channel.requests[0][1] assert expected_request == actual_request
def add_secret_version(project_id, secret_id, payload): """ Add a new secret version to the given secret with the provided payload. """ # Import the Secret Manager client library. from google.cloud import secretmanager_v1beta1 as secretmanager # Create the Secret Manager client. client = secretmanager.SecretManagerServiceClient() # Build the resource name of the parent secret. parent = client.secret_path(project_id, secret_id) # Convert the string payload into a bytes. This step can be omitted if you # pass in bytes instead of a str for the payload argument. payload = payload.encode('UTF-8') # Add the secret version. response = client.add_secret_version(parent, {'data': payload}) # Print the new secret version name. print('Added secret version: {}'.format(response.name)) # [END secretmanager_add_secret_version] return response
def create_secret(ctx, env, location, keyring, keyname, secret_name, plaintext): """ jeeves crypt create-secret ENV LOCATION KEYRING KEYNAME SECRET_NAME PLAINTExT env = local, dev, tst, prd location = 'us-west3', 'us-west2', etc Encodes the plaintext secret and writes it to gcloud secrets """ encoded = ctx.invoke(encode_secret, env=env, location=location, keyring=keyring, keyname=keyname, plaintext=plaintext) client = secretmanager.SecretManagerServiceClient() path = client.secret_path(gcloud.project(env), secret_name) try: version = client.add_secret_version(path, {'data': encoded.encode('utf-8')}) except NotFound: client.create_secret(client.project_path(gcloud.project(env)), secret_name, { 'replication': { 'automatic': {}, }, }) version = client.add_secret_version(path, {'data': encoded.encode('utf-8')}) assert version is not None
def create_secret(project_id, secret_id): """ Create a new secret with the given name. A secret is a logical wrapper around a collection of secret versions. Secret versions hold the actual secret material. """ # Import the Secret Manager client library. from google.cloud import secretmanager_v1beta1 as secretmanager # Create the Secret Manager client. client = secretmanager.SecretManagerServiceClient() # Build the resource name of the parent project. parent = client.project_path(project_id) # Create the secret. response = client.create_secret(parent, secret_id, { 'replication': { 'automatic': {}, }, }) # Print the new secret name. print('Created secret: {}'.format(response.name))
def iam_revoke_access(project_id, secret_id, member): """ Revoke the given member access to a secret. """ # Import the Secret Manager client library. from google.cloud import secretmanager_v1beta1 as secretmanager # Create the Secret Manager client. client = secretmanager.SecretManagerServiceClient() # Build the resource name of the secret. name = client.secret_path(project_id, secret_id) # Get the current IAM policy. policy = client.get_iam_policy(name) # Remove the given member's access permissions. accessRole = 'roles/secretmanager.secretAccessor' for b in list(policy.bindings): if b.role == accessRole and member in b.members: b.members.remove(member) # Update the IAM Policy. new_policy = client.set_iam_policy(name, policy) # Print data about the secret. print('Updated IAM policy on {}'.format(secret_id)) # [END secretmanager_iam_revoke_access] return new_policy
def test_create_secret(self): # Setup Expected Response name = "name3373707" expected_response = {"name": name} expected_response = resources_pb2.Secret(**expected_response) # Mock the API response channel = ChannelStub(responses=[expected_response]) patch = mock.patch("google.api_core.grpc_helpers.create_channel") with patch as create_channel: create_channel.return_value = channel client = secretmanager_v1beta1.SecretManagerServiceClient() # Setup Request parent = client.project_path("[PROJECT]") secret_id = "secretId-739547894" response = client.create_secret(parent, secret_id) assert expected_response == response assert len(channel.requests) == 1 expected_request = service_pb2.CreateSecretRequest(parent=parent, secret_id=secret_id) actual_request = channel.requests[0][1] assert expected_request == actual_request
def test_get_iam_policy(self): # Setup Expected Response version = 351608024 etag = b"21" expected_response = {"version": version, "etag": etag} expected_response = policy_pb2.Policy(**expected_response) # Mock the API response channel = ChannelStub(responses=[expected_response]) patch = mock.patch("google.api_core.grpc_helpers.create_channel") with patch as create_channel: create_channel.return_value = channel client = secretmanager_v1beta1.SecretManagerServiceClient() # Setup Request resource = "resource-341064690" response = client.get_iam_policy(resource) assert expected_response == response assert len(channel.requests) == 1 expected_request = iam_policy_pb2.GetIamPolicyRequest( resource=resource) actual_request = channel.requests[0][1] assert expected_request == actual_request
def test_test_iam_permissions(self): # Setup Expected Response expected_response = {} expected_response = iam_policy_pb2.TestIamPermissionsResponse( **expected_response) # Mock the API response channel = ChannelStub(responses=[expected_response]) patch = mock.patch("google.api_core.grpc_helpers.create_channel") with patch as create_channel: create_channel.return_value = channel client = secretmanager_v1beta1.SecretManagerServiceClient() # Setup Request resource = "resource-341064690" permissions = [] response = client.test_iam_permissions(resource, permissions) assert expected_response == response assert len(channel.requests) == 1 expected_request = iam_policy_pb2.TestIamPermissionsRequest( resource=resource, permissions=permissions) actual_request = channel.requests[0][1] assert expected_request == actual_request
def main(): access_token = os.getenv(ACCESS_TOKEN_ENV_VARIABLE) if not access_token: project_id = 'cirq-infra' print('{} not set. Trying secret manager.'.format( ACCESS_TOKEN_ENV_VARIABLE), file=sys.stderr) client = secretmanager_v1beta1.SecretManagerServiceClient() secret_name = (f'projects/{project_id}/' f'secrets/cirq-bot-api-key/versions/1') response = client.access_secret_version(name=secret_name) access_token = response.payload.data.decode('UTF-8') repo = GithubRepository( organization=GITHUB_REPO_ORGANIZATION, name=GITHUB_REPO_NAME, access_token=access_token) log('Watching for automergeable PRs.') problem_seen_times = {} # type: Dict[int, datetime.datetime] while True: try: duty_cycle(repo, problem_seen_times) except Exception: # Anything but a keyboard interrupt / system exit. traceback.print_exc() wait_for_polling_period()
def test_list_secrets(self): # Setup Expected Response next_page_token = "" total_size = 705419236 secrets_element = {} secrets = [secrets_element] expected_response = { "next_page_token": next_page_token, "total_size": total_size, "secrets": secrets, } expected_response = service_pb2.ListSecretsResponse( **expected_response) # Mock the API response channel = ChannelStub(responses=[expected_response]) patch = mock.patch("google.api_core.grpc_helpers.create_channel") with patch as create_channel: create_channel.return_value = channel client = secretmanager_v1beta1.SecretManagerServiceClient() # Setup Request parent = client.project_path("[PROJECT]") paged_list_response = client.list_secrets(parent) resources = list(paged_list_response) assert len(resources) == 1 assert expected_response.secrets[0] == resources[0] assert len(channel.requests) == 1 expected_request = service_pb2.ListSecretsRequest(parent=parent) actual_request = channel.requests[0][1] assert expected_request == actual_request
def get_secret(project_id, secret_id, version="latest"): client = secretmanager.SecretManagerServiceClient() name = client.secret_version_path(project_id, secret_id, version) version = client.access_secret_version(name) return version.payload.data.decode('utf-8')
def access_secret_version(project_id, secret_id, version_id="latest"): """ Access the payload for the given secret version if one exists. The version can be a version number as a string (e.g. "5") or an alias (e.g. "latest"). """ # Import the Secret Manager client library. from google.cloud import secretmanager_v1beta1 as secretmanager # Create the Secret Manager client. client = secretmanager.SecretManagerServiceClient() # Build the resource name of the secret version. name = client.secret_version_path(project_id, secret_id, version_id) # Access the secret version. response = client.access_secret_version(name) # Print the secret payload. # # WARNING: Do not print the secret in a production environment - this # snippet is showing how to access the secret material. payload = response.payload.data.decode("UTF-8") # print('Plaintext: {}'.format(payload)) return payload
def iam_grant_access(project_id, secret_id, member): """ Grant the given member access to a secret. """ # Import the Secret Manager client library. from google.cloud import secretmanager_v1beta1 as secretmanager # Create the Secret Manager client. client = secretmanager.SecretManagerServiceClient() # Build the resource name of the secret. name = client.secret_path(project_id, secret_id) # Get the current IAM policy. policy = client.get_iam_policy(name) # Add the given member with access permissions. policy.bindings.add(role='roles/secretmanager.secretAccessor', members=[member]) # Update the IAM Policy. new_policy = client.set_iam_policy(name, policy) # Print data about the secret. print('Updated IAM policy on {}'.format(secret_id)) # [END secretmanager_iam_grant_access] return new_policy
def test_access_secret_version(self): # Setup Expected Response name_2 = "name2-1052831874" expected_response = {"name": name_2} expected_response = service_pb2.AccessSecretVersionResponse( **expected_response) # Mock the API response channel = ChannelStub(responses=[expected_response]) patch = mock.patch("google.api_core.grpc_helpers.create_channel") with patch as create_channel: create_channel.return_value = channel client = secretmanager_v1beta1.SecretManagerServiceClient() # Setup Request name = client.secret_version_path("[PROJECT]", "[SECRET]", "[SECRET_VERSION]") response = client.access_secret_version(name) assert expected_response == response assert len(channel.requests) == 1 expected_request = service_pb2.AccessSecretVersionRequest(name=name) actual_request = channel.requests[0][1] assert expected_request == actual_request
def test_add_secret_version(self): # Setup Expected Response name = "name3373707" expected_response = {"name": name} expected_response = resources_pb2.SecretVersion(**expected_response) # Mock the API response channel = ChannelStub(responses=[expected_response]) patch = mock.patch("google.api_core.grpc_helpers.create_channel") with patch as create_channel: create_channel.return_value = channel client = secretmanager_v1beta1.SecretManagerServiceClient() # Setup Request parent = client.secret_path("[PROJECT]", "[SECRET]") payload = {} response = client.add_secret_version(parent, payload) assert expected_response == response assert len(channel.requests) == 1 expected_request = service_pb2.AddSecretVersionRequest(parent=parent, payload=payload) actual_request = channel.requests[0][1] assert expected_request == actual_request
def __init__(self): import google.auth from google.cloud import secretmanager_v1beta1 as sm _, project = google.auth.default() if project: self._client = sm.SecretManagerServiceClient() self._project = project else: raise RuntimeError("Could get default GCP project")
def access_secret_version(project_id, secret_id, version_id): """ Accesses the payload for the given secret version if one exists. The version can be a version number as a string (e.g. "5") or an alias (e.g. "latest"). """ client = secretmanager.SecretManagerServiceClient() name = client.secret_version_path(project_id, secret_id, version_id) response = client.access_secret_version(name) payload = response.payload.data.decode('UTF-8') return payload
def access_secret_bytes(secret_name): """ Access the payload string for the latest secret version if one exists. See https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets#secretmanager-access-secret-version-python """ client = secretmanager.SecretManagerServiceClient() project_id = "294417890851" secret_version = "latest" name = client.secret_version_path(project_id, secret_name, secret_version) response = client.access_secret_version(name) return response.payload.data
def createsuperuser(apps, schema_editor): # Retrieve secret from Secret Manager _, project = google.auth.default() client = sm.SecretManagerServiceClient() path = client.secret_version_path(project, "admin_password", "latest") admin_password = client.access_secret_version(path).payload.data.decode("UTF-8") # Create a new user using acquired password from django.contrib.auth.models import User User.objects.create_superuser("admin", password=admin_password)
def get_secret(project_name, secret_name, version_num): """ Returns secret payload from Cloud Secret Manager """ try: client = secretmanager_v1beta1.SecretManagerServiceClient() name = client.secret_version_path(project_name, secret_name, version_num) secret = client.access_secret_version(name) return secret.payload.data except Exception as e: print(e)
def test_get_iam_policy_exception(self): # Mock the API response channel = ChannelStub(responses=[CustomException()]) patch = mock.patch("google.api_core.grpc_helpers.create_channel") with patch as create_channel: create_channel.return_value = channel client = secretmanager_v1beta1.SecretManagerServiceClient() # Setup request resource = "resource-341064690" with pytest.raises(CustomException): client.get_iam_policy(resource)
def test_delete_secret_exception(self): # Mock the API response channel = ChannelStub(responses=[CustomException()]) patch = mock.patch("google.api_core.grpc_helpers.create_channel") with patch as create_channel: create_channel.return_value = channel client = secretmanager_v1beta1.SecretManagerServiceClient() # Setup request name = client.secret_path("[PROJECT]", "[SECRET]") with pytest.raises(CustomException): client.delete_secret(name)
def test_list_secret_versions_exception(self): channel = ChannelStub(responses=[CustomException()]) patch = mock.patch("google.api_core.grpc_helpers.create_channel") with patch as create_channel: create_channel.return_value = channel client = secretmanager_v1beta1.SecretManagerServiceClient() # Setup request parent = client.secret_path("[PROJECT]", "[SECRET]") paged_list_response = client.list_secret_versions(parent) with pytest.raises(CustomException): list(paged_list_response)
def test_create_secret_exception(self): # Mock the API response channel = ChannelStub(responses=[CustomException()]) patch = mock.patch("google.api_core.grpc_helpers.create_channel") with patch as create_channel: create_channel.return_value = channel client = secretmanager_v1beta1.SecretManagerServiceClient() # Setup request parent = client.project_path("[PROJECT]") secret_id = "secretId-739547894" with pytest.raises(CustomException): client.create_secret(parent, secret_id)
def test_update_secret_exception(self): # Mock the API response channel = ChannelStub(responses=[CustomException()]) patch = mock.patch("google.api_core.grpc_helpers.create_channel") with patch as create_channel: create_channel.return_value = channel client = secretmanager_v1beta1.SecretManagerServiceClient() # Setup request secret = {} update_mask = {} with pytest.raises(CustomException): client.update_secret(secret, update_mask)
def access_secret(secret_key): if settings.LOCAL_DEVELOPMENT: return os.environ[secret_key] else: import google.auth from google.cloud import secretmanager_v1beta1 as sm _, project = google.auth.default() client = sm.SecretManagerServiceClient() path = client.secret_version_path(project, secret_key, "latest") payload = client.access_secret_version(path).payload.data.decode( "UTF-8") return payload
def access_secrets(secret_keys): secrets = {} _, project = google.auth.default() if project: client = sm.SecretManagerServiceClient() for s in secret_keys: path = client.secret_version_path(project, s, "latest") payload = client.access_secret_version(path).payload.data.decode( "UTF-8") secrets[s] = payload return secrets
def get_secret_value(secret_id, default=None, raise_exception=True): try: version_id = 1 client = secretmanager.SecretManagerServiceClient() name = client.secret_version_path(project_id, secret_id, version_id) response = client.access_secret_version(name) return response.payload.data.decode('UTF-8') except google.api_core.exceptions.NotFound: if default is None and raise_exception: raise return default
def KeyGen(keyfile): # Connect to the secret manager in GCP to generate the local copy of the GCP Service Account key file client = secretmanager.SecretManagerServiceClient() # Variables for the GCP secret and project names defined in the Dockerfile secret_name = os.environ['GCP_SECRET'] project_id = os.environ['GCP_PROJECT'] # Define the path and version of the secret. Update the version number if needed secret_name = f"projects/{project_id}/secrets/{secret_name}/versions/1" response = client.access_secret_version(secret_name) secret_string = response.payload.data.decode('UTF-8') print('Secret accessed and generating service key') # Write the contents of the GCP secret to a local json file. The key file and path is passed from the 'GCP_KEYFILE' environment variable defined in the Dockerfile with open(keyfile, 'w') as outfile: outfile.write(secret_string) print('Service account key created')