def _get_github_token(): """Return the github token from secret manager.""" _, project = google.auth.default() client = secretmanager_v1.SecretManagerServiceClient() name = client.secret_version_path(project, 'github-token', 'latest') response = client.access_secret_version(name) return response.payload.data.decode('utf8')
def test_get_iam_policy(self): # Setup Expected Response version = 351608024 etag = b"21" expected_response = {"version": version, "etag": etag} expected_response = policy_pb2.Policy(**expected_response) # Mock the API response channel = ChannelStub(responses=[expected_response]) patch = mock.patch("google.api_core.grpc_helpers.create_channel") with patch as create_channel: create_channel.return_value = channel client = secretmanager_v1.SecretManagerServiceClient() # Setup Request resource = "resource-341064690" response = client.get_iam_policy(resource) assert expected_response == response assert len(channel.requests) == 1 expected_request = iam_policy_pb2.GetIamPolicyRequest( resource=resource) actual_request = channel.requests[0][1] assert expected_request == actual_request
def cert(): client = secretmanager_v1.SecretManagerServiceClient() with tempfile.NamedTemporaryFile("w", prefix="certificate", suffix=".crt", delete=False) as cert_file: response = client.access_secret_version(request={ "name": "projects/911343863113/secrets/cert-cert-crt/versions/1" }) payload = response.payload.data.decode("UTF-8") cert_file.write(payload) with tempfile.NamedTemporaryFile("w", prefix="private", suffix=".key", delete=False) as private_key_file: response = client.access_secret_version(request={ "name": "projects/911343863113/secrets/cert-private-key/versions/3" }) payload = response.payload.data.decode("UTF-8") private_key_file.write(payload) cert_file = Path(cert_file.name) private_key_file = Path(private_key_file.name) yield ( str(cert_file.absolute()), str(private_key_file.absolute()), ) cert_file.unlink() private_key_file.unlink()
def test_add_secret_version(self): # Setup Expected Response name = "name3373707" expected_response = {"name": name} expected_response = resources_pb2.SecretVersion(**expected_response) # Mock the API response channel = ChannelStub(responses=[expected_response]) patch = mock.patch("google.api_core.grpc_helpers.create_channel") with patch as create_channel: create_channel.return_value = channel client = secretmanager_v1.SecretManagerServiceClient() # Setup Request parent = client.secret_path("[PROJECT]", "[SECRET]") payload = {} response = client.add_secret_version(parent, payload) assert expected_response == response assert len(channel.requests) == 1 expected_request = service_pb2.AddSecretVersionRequest(parent=parent, payload=payload) actual_request = channel.requests[0][1] assert expected_request == actual_request
def get_client(cls, expected_response): # Mock the API response channel = ChannelStub(responses=[expected_response]) patch = mock.patch("google.api_core.grpc_helpers.create_channel") with patch as create_channel: create_channel.return_value = channel return secretmanager_v1.SecretManagerServiceClient()
def test_create_secret(self): # Setup Expected Response name = "name3373707" expected_response = {"name": name} expected_response = resources_pb2.Secret(**expected_response) # Mock the API response channel = ChannelStub(responses=[expected_response]) patch = mock.patch("google.api_core.grpc_helpers.create_channel") with patch as create_channel: create_channel.return_value = channel client = secretmanager_v1.SecretManagerServiceClient() # Setup Request parent = client.project_path("[PROJECT]") secret_id = "secretId-739547894" secret = {} response = client.create_secret(parent, secret_id, secret) assert expected_response == response assert len(channel.requests) == 1 expected_request = service_pb2.CreateSecretRequest(parent=parent, secret_id=secret_id, secret=secret) actual_request = channel.requests[0][1] assert expected_request == actual_request
def test_test_iam_permissions(self): # Setup Expected Response expected_response = {} expected_response = iam_policy_pb2.TestIamPermissionsResponse( **expected_response) # Mock the API response channel = ChannelStub(responses=[expected_response]) patch = mock.patch("google.api_core.grpc_helpers.create_channel") with patch as create_channel: create_channel.return_value = channel client = secretmanager_v1.SecretManagerServiceClient() # Setup Request resource = "resource-341064690" permissions = [] response = client.test_iam_permissions(resource, permissions) assert expected_response == response assert len(channel.requests) == 1 expected_request = iam_policy_pb2.TestIamPermissionsRequest( resource=resource, permissions=permissions) actual_request = channel.requests[0][1] assert expected_request == actual_request
def test_list_secrets(self): # Setup Expected Response next_page_token = "" total_size = 705419236 secrets_element = {} secrets = [secrets_element] expected_response = { "next_page_token": next_page_token, "total_size": total_size, "secrets": secrets, } expected_response = service_pb2.ListSecretsResponse( **expected_response) # Mock the API response channel = ChannelStub(responses=[expected_response]) patch = mock.patch("google.api_core.grpc_helpers.create_channel") with patch as create_channel: create_channel.return_value = channel client = secretmanager_v1.SecretManagerServiceClient() # Setup Request parent = client.project_path("[PROJECT]") paged_list_response = client.list_secrets(parent) resources = list(paged_list_response) assert len(resources) == 1 assert expected_response.secrets[0] == resources[0] assert len(channel.requests) == 1 expected_request = service_pb2.ListSecretsRequest(parent=parent) actual_request = channel.requests[0][1] assert expected_request == actual_request
def test_update_secret(self): # Setup Expected Response name = "name3373707" expected_response = {"name": name} expected_response = resources_pb2.Secret(**expected_response) # Mock the API response channel = ChannelStub(responses=[expected_response]) patch = mock.patch("google.api_core.grpc_helpers.create_channel") with patch as create_channel: create_channel.return_value = channel client = secretmanager_v1.SecretManagerServiceClient() # Setup Request secret = {} update_mask = {} response = client.update_secret(secret, update_mask) assert expected_response == response assert len(channel.requests) == 1 expected_request = service_pb2.UpdateSecretRequest( secret=secret, update_mask=update_mask) actual_request = channel.requests[0][1] assert expected_request == actual_request
def test_access_secret_version(self): # Setup Expected Response name_2 = "name2-1052831874" expected_response = {"name": name_2} expected_response = service_pb2.AccessSecretVersionResponse( **expected_response) # Mock the API response channel = ChannelStub(responses=[expected_response]) patch = mock.patch("google.api_core.grpc_helpers.create_channel") with patch as create_channel: create_channel.return_value = channel client = secretmanager_v1.SecretManagerServiceClient() # Setup Request name = client.secret_version_path("[PROJECT]", "[SECRET]", "[SECRET_VERSION]") response = client.access_secret_version(name) assert expected_response == response assert len(channel.requests) == 1 expected_request = service_pb2.AccessSecretVersionRequest(name=name) actual_request = channel.requests[0][1] assert expected_request == actual_request
def _client(self): if self.client: return self.client from google.cloud import secretmanager_v1 self.client = secretmanager_v1.SecretManagerServiceClient() return self.client
def get_secret(): secret_manager_client = secretmanager_v1.SecretManagerServiceClient() secret_name = secret_manager_client.secret_version_path( os.environ['PROJECT_ID'], os.environ['SECRET_NAME'], 'latest') response = secret_manager_client.access_secret_version(secret_name) payload = response.payload.data.decode('UTF-8') return payload
def access_secret_version(project_id, secret_id, version_id): """ Accesses the payload for the given secret version if one exists. The version can be a version number as a string (e.g. "5") or an alias (e.g. "latest"). """ client = secretmanager.SecretManagerServiceClient() name = client.secret_version_path(project_id, secret_id, version_id) response = client.access_secret_version(name) payload = response.payload.data.decode('UTF-8') return payload
def get_secret(self, secret_id, version="latest"): """ Access the payload for the given secret version if one exists. The version can be a version number as a string (e.g. "5") or an alias (e.g. "latest"). """ if self.secretmanager_client is None: self.secretmanager_client = secretmanager.SecretManagerServiceClient() secret_path = f"projects/{self.project_id}/secrets/{secret_id}/versions/{version}" response = self.secretmanager_client.access_secret_version(name=secret_path) return response.payload.data.decode("UTF-8")
def add_secret(self, secret_id, data): """ Add a new secret version to the given secret with the provided data. """ if self.secretmanager_client is None: self.secretmanager_client = secretmanager.SecretManagerServiceClient() parent = f"projects/{self.project_id}/secrets/{secret_id}" payload = secretmanager.types.SecretPayload(data=data.encode("UTF-8")) response = self.secretmanager_client.add_secret_version(parent=parent, payload=payload) print("Added secret version: {}".format(response.name))
def __init__(self, project_id=None): scraped_id = environ.get('GCP_PROJECT', project_id) self.project_id = scraped_id if running_in_gcf(): self.client = sm.SecretManagerServiceClient() else: import logging logging.warning( 'SecretManager -> Running local; using ./account.json') self.client = sm.SecretManagerServiceClient.from_service_account_json( 'account.json')
def sample_delete_secret(): # Create a client client = secretmanager_v1.SecretManagerServiceClient() # Initialize request argument(s) request = secretmanager_v1.DeleteSecretRequest( name="name_value", ) # Make the request client.delete_secret(request=request)
def get_secret(self, project_id, secret_id): client = secretmanager_v1.SecretManagerServiceClient() secret_name = client.secret_version_path(project_id, secret_id, 'latest') response = client.access_secret_version(secret_name) payload = response.payload.data.decode('UTF-8') return payload
def sample_access_secret_version(): # Create a client client = secretmanager_v1.SecretManagerServiceClient() # Initialize request argument(s) request = secretmanager_v1.AccessSecretVersionRequest(name="name_value", ) # Make the request response = client.access_secret_version(request=request) # Handle the response print(response)
def sample_get_secret(): # Create a client client = secretmanager_v1.SecretManagerServiceClient() # Initialize request argument(s) request = secretmanager_v1.GetSecretRequest(name="name_value", ) # Make the request response = client.get_secret(request=request) # Handle the response print(response)
def get_secret(): client = secretmanager_v1.SecretManagerServiceClient() secret_name = client.secret_version_path( os.environ['GOOGLE_CLOUD_PROJECT'], '{}-api-key'.format(os.environ['GOOGLE_CLOUD_PROJECT']), 'latest') response = client.access_secret_version(request={"name": secret_name}) payload = response.payload.data.decode('utf-8').replace('\n', '') return payload
def init_vars(): client = secretmanager_v1.SecretManagerServiceClient() secrets = ["APCA_API_KEY_ID", "APCA_API_SECRET_KEY", "NEWS_API_KEY"] result = {"APCA_API_BASE_URL": "https://paper-api.alpaca.markets"} for s in secrets: name = f"projects/{PRJID}/secrets/{s}/versions/latest" response = client.access_secret_version(request={'name': name}) print(response) os.environ[s] = response.payload.data.decode('UTF-8') result[s] = response.payload.data.decode('UTF-8') print(result) return result
def sample_set_iam_policy(): # Create a client client = secretmanager_v1.SecretManagerServiceClient() # Initialize request argument(s) request = iam_policy_pb2.SetIamPolicyRequest(resource="resource_value", ) # Make the request response = client.set_iam_policy(request=request) # Handle the response print(response)
def get_secret(project_id, secret_id): """ Returns a Secret Manager secret. """ client = secretmanager_v1.SecretManagerServiceClient() secret_name = client.secret_version_path(project_id, secret_id, "latest") response = client.access_secret_version(request={"name": secret_name}) payload = response.payload.data.decode("UTF-8") return payload
def test_list_secret_versions_exception(self): channel = ChannelStub(responses=[CustomException()]) patch = mock.patch("google.api_core.grpc_helpers.create_channel") with patch as create_channel: create_channel.return_value = channel client = secretmanager_v1.SecretManagerServiceClient() # Setup request parent = client.secret_path("[PROJECT]", "[SECRET]") paged_list_response = client.list_secret_versions(parent) with pytest.raises(CustomException): list(paged_list_response)
def test_delete_secret_exception(self): # Mock the API response channel = ChannelStub(responses=[CustomException()]) patch = mock.patch("google.api_core.grpc_helpers.create_channel") with patch as create_channel: create_channel.return_value = channel client = secretmanager_v1.SecretManagerServiceClient() # Setup request name = client.secret_path("[PROJECT]", "[SECRET]") with pytest.raises(CustomException): client.delete_secret(name)
def test_get_iam_policy_exception(self): # Mock the API response channel = ChannelStub(responses=[CustomException()]) patch = mock.patch("google.api_core.grpc_helpers.create_channel") with patch as create_channel: create_channel.return_value = channel client = secretmanager_v1.SecretManagerServiceClient() # Setup request resource = "resource-341064690" with pytest.raises(CustomException): client.get_iam_policy(resource)
def sample_update_secret(): # Create a client client = secretmanager_v1.SecretManagerServiceClient() # Initialize request argument(s) request = secretmanager_v1.UpdateSecretRequest( ) # Make the request response = client.update_secret(request=request) # Handle the response print(response)
def sample_list_secrets(): # Create a client client = secretmanager_v1.SecretManagerServiceClient() # Initialize request argument(s) request = secretmanager_v1.ListSecretsRequest(parent="parent_value", ) # Make the request page_result = client.list_secrets(request=request) # Handle the response for response in page_result: print(response)
def refresh_token(event, context): """ helper function to refresh defender token and store in secrets manager runs on a cron job (Cloud Scheduler) which triggers via pub/sub """ # build client and vars secret_client = secretmanager_v1.SecretManagerServiceClient() project_id = os.environ['GCP_PROJECT'] secret_parent = f'projects/{project_id}' secret_name = secret_parent + f'/secrets/{secret_id}' secret_version = secret_name + '/versions/latest' # fetch secret with current token secret_data = secret_client.access_secret_version( request={'name': secret_version}) #print("DEBUG: ", secret_data) # decode and format payload = secret_data.payload.data.decode('UTF-8') current_token = 'Bearer ' + str(payload) headers = {'authorization': current_token} # request to refresh the token refresh_token = requests.get(console_address, headers=headers, verify=False) print("DEBUG: ", refresh_token) # load new token as json and encode response_data = json.loads(refresh_token.content) new_token = response_data['token'].encode('utf-8') # create new secret version with upadated token value parent = secret_client.secret_path(project_id, secret_id) response = secret_client.add_secret_version(request={ "parent": parent, "payload": { "data": new_token } }) print("DEBUG: ", response) new_version_name = response.name # destroy old version(s) for version in secret_client.list_secret_versions( request={"parent": parent}): # skip over newly created version with updated token if version.name == new_version_name: continue # destroy enabled versions if str(version.state) == "State.ENABLED": print("DELETING: ", version.name, version.state) delete_secret = secret_client.destroy_secret_version( request={'name': version.name}) print("SECRET VERSION DESTROYED: ", delete_secret)