Reputation: 230
Alternative way of setting ADC for google cloud to run on read-only pipeline systems?
I'm trying to use the kms module which requires ADC which expects GOOGLE_APPLICATION_CREDENTIALS which is a json credential file. So I aim to pass the necessary project_id, location_id etc. as secrets to run on GitHub CI/CD.
The most common way I found is to save the credentials as a string, then read them as a secret and save them in a temporary file on the runner. But the problem is with the production runners which is not the usual GitHub ones. Hence, it's a complete read-only system.
401 API keys are not supported by this API suggests API keys in place of ADC won't work. For this particular task. Is there a workaround?
This is what I'm trying to do. Reference: https://github.com/googleapis/google-cloud-python/blob/main/packages/google-cloud-kms/samples/generated_samples/cloudkms_v1_generated_key_management_service_asymmetric_sign_sync.py
from google.cloud import kms_v1
def sample_asymmetric_sign():
# Create a client
client = kms_v1.KeyManagementServiceClient()
# Initialize request argument(s)
request = kms_v1.AsymmetricSignRequest(
name="name_value",
)
# Make the request
response = client.asymmetric_sign(request=request)
# Handle the response
print(response)
Upvotes: 0
Views: 44
Answers (1)
Reputation: 230
OK I have figured out a way of making it work for my usecase. If anyone is interested here it is
import json
from google.cloud import kms_v1
from google.auth import load_credentials_from_dict
from eth_utils import keccak
data = json.loads('{"account":"","client_id":"1234.apps.googleusercontent.com","client_secret":"AAddseSecretAHHAHA","refresh_token":"1//RANDOMMMHEHEHEHEHHE-AAddseSecretAHHAHA-AAddseSecretAHHAHA-RANDOMMMHEHEHEHEHHE-RANDOMMMHEHEHEHEHHE","type":"authorized_user","universe_domain":"googleapis.com"}')
creds, _ = load_credentials_from_dict(data)
client = kms_v1.KeyManagementServiceClient(credentials=creds)
key_path = "projects/testing-442200/locations/nam10/keyRings/eth-keyring/cryptoKeys/key2/cryptoKeyVersions/1"
msghash = keccak(b"Hello, world!")
response = client.asymmetric_sign(request={"name": key_path, "digest": {"sha256": msghash}})
# Handle the response
print(response)
If anyone is more paranoid like me you can check out detailed usage here web3-google-hsm
Upvotes: 0
Related Questions
- How to Properly Inject Service Account Credentials in Google Cloud Build for Cloud Run Deployment?
- Getting error using Google cloud client libraries for Go: unknown credential type: "impersonated_service_account"?
- How can I get a list of Google Cloud Functions using Google Python Client for Cloud Functions?
- Use user account Credential for reaching private Cloud Run/Cloud Functions
- Is there a way to translate documents in a batch without passing the source the source language code in Google Cloud
- Google Cloud Function : support for Google Cloud KMS
- Google Cloud Run Authentication Service-to-Service
- Google cloud: insufficient authentication scopes