google-cloud-kms

Google Cloud Build doesn't substitute values in secrets section of cloudbuild.yaml

断了今生、忘了曾经 提交于 2019-12-08 01:55:16
问题 I'm trying to create a Cloud Build trigger where secret environment variables are encrypted with cloud KMS and stored as a substitution variable in Cloud Build. This way my cloud build yaml is fairly generic and the same across all environments we're deploying to. This cloud build yaml works fine: steps: - name: 'ubuntu' entrypoint: 'bash' args: ['-c', 'echo "$$APP_NAME HAS A VALUE $$HELLO_WORLD"'] env: - 'APP_NAME=${_APP_NAME}' secretEnv: - 'HELLO_WORLD' secrets: - kmsKeyName: 'projects/my

Google cloud KMS: encryption works but decryption fails

余生长醉 提交于 2019-12-07 18:04:31
问题 I am trying to decrypt a token using the google KMS tool. Running it locally, for some reason, encryption seems to work but not decryption. I am running the following code: import base64 import googleapiclient.discovery kms_client = googleapiclient.discovery.build('cloudkms', 'v1') crypto_keys = kms_client.projects().locations().keyRings().cryptoKeys() name = "projects/my-project/locations/my-loc/keyRings/my-kr/cryptoKeys/my-key" request = crypto_keys.decrypt(name=name, body={'ciphertext':

Google Cloud Build doesn't substitute values in secrets section of cloudbuild.yaml

≯℡__Kan透↙ 提交于 2019-12-06 15:04:32
I'm trying to create a Cloud Build trigger where secret environment variables are encrypted with cloud KMS and stored as a substitution variable in Cloud Build. This way my cloud build yaml is fairly generic and the same across all environments we're deploying to. This cloud build yaml works fine: steps: - name: 'ubuntu' entrypoint: 'bash' args: ['-c', 'echo "$$APP_NAME HAS A VALUE $$HELLO_WORLD"'] env: - 'APP_NAME=${_APP_NAME}' secretEnv: - 'HELLO_WORLD' secrets: - kmsKeyName: 'projects/my-first-cicd-project/locations/europe-west1/keyRings/keyring-dev/cryptoKeys/key-backend' secretEnv: HELLO

Permission denied on Cloud KMS key when using cloud storage

只愿长相守 提交于 2019-12-06 06:33:16
问题 I am using cloud storage upload a file with kms key. Here is my code: await storage.bucket(config.bucket).upload(file, { kmsKeyName: `projects/${process.env.PROJECT_ID}/locations/global/keyRings/test/cryptoKeys/nodejs-gcp`, destination: 'mmczblsq.kms.encrypted.doc' }); I have a cloud-storage-admin.json service account with cloud storage admin permission. Initialize the storage with this service account. const storage: Storage = new Storage({ projectId: process.env.PROJECT_ID, keyFilename:

Permission denied on Cloud KMS key when using cloud storage

百般思念 提交于 2019-12-04 16:48:14
I am using cloud storage upload a file with kms key. Here is my code: await storage.bucket(config.bucket).upload(file, { kmsKeyName: `projects/${process.env.PROJECT_ID}/locations/global/keyRings/test/cryptoKeys/nodejs-gcp`, destination: 'mmczblsq.kms.encrypted.doc' }); I have a cloud-storage-admin.json service account with cloud storage admin permission. Initialize the storage with this service account. const storage: Storage = new Storage({ projectId: process.env.PROJECT_ID, keyFilename: path.resolve(__dirname, '../.gcp/cloud-storage-admin.json') }); And, I use gcloud kms keys add-iam-policy

Using Google Cloud Key Management Service to sign JSON Web Tokens

喜夏-厌秋 提交于 2019-12-01 05:40:17
问题 Edit: I found the answer. Scroll to the bottom of this question. I am working on a NodeJS authentication server and I would like to sign JSON Web Tokens (JWT) using google signatures. I am using Google Cloud Key Management Service (KMS) and I created a key ring and an asymmetric signing key. This is my code to get the signature: signatureObject = await client.asymmetricSign({ name, digest }) signature = signatureObject["0"].signature My Google signature object looks like this: My question:
订阅 google-cloud-kms