问题描述
从文档如何在Google App Engine Standard上使用Google密钥管理系统(KMS),特别是在使用开发服务器在本地进行开发时。
它看起来相当简单:
- 在Python虚拟环境中安装
google-api-python-client在appengine_config.py中添加virtualenv路径google.appengine.ext.vendor)
- 导入
googleapiclient.discovery - 通过
google.appengine.api.app_identity获取应用程序标识 - 以预期/记录的方式使用
kms客户端
...然后按照文档中链接的教程。然而,我迄今为止的尝试并未取得成功,而且文件似乎只需要几个步骤。
这感觉就像我开创了一个新天地,确保其他人已经拥有。
有没有人在App Engine Standard&它的本地开发服务器?
编辑 - 使用代码示例更新
以下是一些代码,似乎与我的默认凭据设置。
mykms.py
从google.appengine.api导入googleapiclient.discovery调用:
从oauth2client.client导入app_identity
导入GoogleCredentials
credentials = GoogleCredentials.get_application_default()
PROJECT ='my-crypto-project'
IS_LOCAL = True
LOCATION ='global'
TESTING_KR ='testing-keyring '
KEY_RING = TESTING_KR if IS_LOCAL else app_identity.get_application_id()
kms = googleapiclient.discovery.build('cloudkms','v1',credentials = credentials)
def encrypt(明文,cryptokey,keyring = KEY_RING,location = LOCATION):
name ='projects / {} / locations / {} / keyRings / {} / cryptoKeys / {}'。format(
PROJECT,location,keyri ng,cryptokey
)
cryptokeys = kms.projects()。locations()。keyRings()。cryptoKeys()
request = cryptokeys.encrypt(name = name,body = {'plaintext ':plaintext})
返回request.execute()
def解密(ciphertext,cryptokey,keyring = KEY_RING,location = LOCATION):
name =' projects / {} / locations / {} / keyRings / {} / cryptokey'.format(
PROJECT,location,keyring
)
cryptokeys = kms.projects()。locations()。 keyRings()。cryptoKeys()
request = cryptokeys.decrypt(name = name,body = {'ciphertext':ciphertext})
return request.execute()
dev_appserver.py
$
$ bimport mykms
mykms.encrypt(my text,cryptokey =my-key-ring)
给出错误:
这不是特别有用,主要关注Google登录该网站;但是,当我从命令行导入
mykms时,出现错误:
这似乎是现在的正确选择。 eport back。
编辑#2
该应用程序现在似乎已连接到KMS。我删除并重新登录到
gcloud auth application-default login。然而,有一个奇怪的副作用 - 似乎是扫描驱动器,以及数百条消息(似乎从根目录的每个可访问的目录),就像下面的混乱日志: b
$ bThat's not especially helpful, being mostly concerned with Google Sign-In on the website; however, when I import the
mykmsfrom the command line, I get the error:This seems like the correct lead for now. Will flush it out and report back.
EDIT #2
The application seems to now connect to KMS. I deleted and re-logged into
gcloud auth application-default login.However, there's a weird side effect — something seems to be scanning the drive, and hundreds of messages (seemingly one for every accessible directory from root) like the following clutter the log:
解决方案If you're developing using Cloud KMS in GAE, there isn't a local dev service, you can only talk to the main production service as you've gathered. You could use the libraries as you've detailed to develop locally, but would still be hitting production.
Note that you'll have to give GAE application default credentials with a scope for use, see https://cloud.google.com/kms/docs/accessing-the-api#google_app_engine
You can also make requests as the GAE service account if you use
gcloud iam service-accounts keysandgcloud auth activate-service-account.In general, for a dev environment, you might want to segment this as a separate KeyRing (or even a separate project) from your production resources.
这篇关于谷歌KMS在AppEngine / Python&开发AppServer的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!