google-cloud-kms

问题 I am trying to make a valid signature in a pdf document by using a certificate from CA (Entrust) generated with a private key from Google KMS (private key never goes out from the KMS). The certificate chain is made as: [entrustCert, intermediate, rootCert] Following the part of the code I am using to make this happen: String DEST = "/tmp/test_file.pdf"; OutputStream outputFile = new FileOutputStream(DEST); CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");

问题 I am trying to make a valid signature in a pdf document by using a certificate from CA (Entrust) generated with a private key from Google KMS (private key never goes out from the KMS). The certificate chain is made as: [entrustCert, intermediate, rootCert] Following the part of the code I am using to make this happen: String DEST = "/tmp/test_file.pdf"; OutputStream outputFile = new FileOutputStream(DEST); CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");

问题 If I follow the cloud build document, I have to specify encrypted secret on cloudbuild.yaml. secrets: - kmsKeyName: projects/[PROJECT-ID]/locations/global/keyRings/[KEYRING-NAME]/cryptoKeys/[KEY-NAME] secretEnv: MY_SECRET: <base64-encoded encrypted secret> Even if it is encrypted, I don't commit secret value at code. Please tell me another way. ex. via args from gcloud builds submit command or environment variables,...etc 回答1: You can use Google Secret Manager instead. We're still updating

问题 I'm trying to get my KMS library, found here, to decrypt items from my application.yml that come from either the google cloud config server or an environment variable. In playing around I've tried a number of scenarios to get this to work. Ideally I'd like to be able to do something like: username: '{cipher}${db_username} where ${db_username} is either a property I read in from google cloud config or an environment variable. So far what I've tried: ✅ username: ${username} -> Successfully

问题 I'm following the tutorial to encrypt data with google cloud kms, but when I try to encryt give me 404 error. I seach in the code and noted that it has DEFAULT_ROOT_URL = https://cloudkms.googleapis.com/. but the root of the url do not appears in the URL, then of couse give error 404. Could someone tell me why the URL was not mounted corretilly. I look in properties and there is no reference for Root_URL. ` The requested URL /v1beta1/projects/condoease-3f3ea/locations/global/keyRings/test

问题 First of all I tried the solution at: Using Google Cloud Key Management Service to sign JSON Web Tokens But it doesn't work. Creating signature: const TimeStamp = Math.floor(new Date().getTime() / 1000) let body = base64url( JSON.stringify({ alg: 'RS256', typ: 'JWT' }) ) body += '.' body += base64url( JSON.stringify({ iss: 'some-iss', aud: 'some-aud', iat: TimeStamp, exp: TimeStamp + parseInt(process.env.TOKEN_EXPIRY, 10) }) ) const hashedMessage = crypto .createHash('sha256') .update(body)

问题 It is documented as not supporting Android. Why? Is it just because Android's BouncyCastle 's implementation is shrunk down on features and doesn't support things like KeyPairGenerator/ECDSA (Elliptic Curve Digital Signature Algorithm)? (Here's another link on that.) Wouldn't it be enough to just use SpongyCastle instead? Is it just because Google doesn't support SpongyCastle that its KMS Java client doesn't support Android? 回答1: https://github.com/GoogleCloudPlatform/google-cloud-java/issues

问题 This is a known issue: https://issuetracker.google.com/issues/63253097 Further to my question about getting Google KMS working with App Engine, I'm opening a new question about a related but problematic side effect. Namely, the Google Cloud API discovery appears to want to walk a number of paths outside the AppEngine sandbox. This itself is not a problem, but it makes testing and debugging very problematic because each attempt is logged, producing hundreds of lines like the following: INFO 03

问题 It's not clear from the documentation how one might wield Google Key Management System (KMS) on Google App Engine Standard, particularly when developing locally using the development server. It would appear as reasonably straightforward as: Installing google-api-python-client in a Python virtual env (and adding the virtualenv path with google.appengine.ext.vendor in appengine_config.py ) importing googleapiclient.discovery getting the application identity with google.appengine.api.app

问题 My application needs a bunch of secrets to run: database credentials, API credentials, etc. It's running in Google App Engine Standard Java 11. I need these secrets as environment variables or as arguments to my application , so that my framework can pick them up and establish the connections accordingly. My particular framework is Spring Boot, but I believe Django, Rails and many others use the same methods. What's the best way of doing this? One of the answers I get to this question is to