我在Node.js(10)中编写了一个云函数,并试图像这样访问一个 secret :
const [secret] = await new SecretManagerServiceClient().accessSecretVersion({
name: `projects/PROJECT_NUMBER/secrets/SECRET_NAME/versions/latest`
})
我在Web控制台中创建了密码,并且代码中使用的名称与现有密码的名称匹配。在有关云功能详细信息的页面上,它指出服务帐户是
PROJECT_ID@appspot.gserviceaccount,com
,因此我向其中添加了secretmanager.secretAccessor
角色。但是,每次我仍然会遇到相同的错误:Error: 7 PERMISSION_DENIED: Permission 'secretmanager.versions.access' denied for resource 'projects/PROJECT_NUMBER/secrets/SECRET_NAME/versions/latest' (or it may not exist).
如果指定具体版本或仅使用最新版本,则没有区别。
最佳答案
HTTP云功能代码:
const { SecretManagerServiceClient } = require('@google-cloud/secret-manager');
const secretManagerServiceClient = new SecretManagerServiceClient();
const name = 'projects/shadowsocks-218808/secrets/workflow/versions/latest';
exports.testSecretManager = async (req, res) => {
const [version] = await secretManagerServiceClient.accessSecretVersion({ name });
const payload = version.payload.data.toString();
console.debug(`Payload: ${payload}`);
res.sendStatus(200);
};
部署:gcloud functions deploy testSecretManager --runtime nodejs10 --trigger-http --allow-unauthenticated
Deploying function (may take a while - up to 2 minutes)...done.
availableMemoryMb: 256
entryPoint: testSecretManager
httpsTrigger:
url: https://us-central1-shadowsocks-218808.cloudfunctions.net/testSecretManager
ingressSettings: ALLOW_ALL
labels:
deployment-tool: cli-gcloud
name: projects/shadowsocks-218808/locations/us-central1/functions/testSecretManager
runtime: nodejs10
serviceAccountEmail: shadowsocks-218808@appspot.gserviceaccount.com
sourceUploadUrl: https://storage.googleapis.com/gcf-upload-us-central1-43476143-b555-4cb2-8f6f-1b2d1952a2d7/42c4cda4-98a8-4994-a3be-d2203b9e646a.zip?GoogleAccessId=service-16536262744@gcf-admin-robot.iam.gserviceaccount.com&Expires=1596513795&Signature=kbLw5teN8EoYmj4fEweKKiIaakxcrhlUg2GGHV4jWJjvmeEfXePpRNOn9yz2zLn%2Fba0UqM9qdJMXujs5afBk%2BVBmywPEiptAZe2qgmldpr%2BsYejFu0woNgsPHVqtJ0NoWDo6W2dq4CuNNwO%2BaQ89mnhahUUQTInkJ55Y3wCIe9smk%2BqWtcvta3zICiToA7RQvPKY5MS6NViyj5mLxuJtDlTY9IKPL%2BqG6JAaQJSFYKYVgLyb6JfirXk8Q7%2FMvnHPpXPlhvsBLQksbF6jDPeefp2HyW4%2FSIQYprfpwKV3hlEIQyRQllz5J9yF83%2FxDPh%2BQPc5QmswKP5XAvYaszJPEw%3D%3D
status: ACTIVE
timeout: 60s
updateTime: '2020-08-04T03:34:32.665Z'
versionId: '2'
测试:gcloud functions call testSecretManager --data '{}'
出现与您相同的错误:error: |-
Error: function terminated. Recommended action: inspect logs for termination reason. Details:
7 PERMISSION_DENIED: Permission 'secretmanager.versions.access' denied for resource 'projects/shadowsocks-218808/secrets/workflow/versions/latest' (or it may not exist).
解决方案:您可以从云功能的部署详细信息中找到
serviceAccountEmail: shadowsocks-218808@appspot.gserviceaccount.com
。转到
IAM & Admin
Web UI,单击ADD ANOTHER ROLE
按钮,将Secret Manager Secret Accessor
角色添加到此服务帐户。再次测试:
> gcloud functions call testSecretManager --data '{}'
executionId: 1tsatxl6fndw
result: OK
阅读testSecretManager
云功能的日志:gcloud functions logs read testSecretManager
您将看到 secret 有效负载字符串的日志。
关于node.js - 尽管服务帐户的角色正确,但 secret 管理器访问被拒绝,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/62444867/