我正在使用Google Cloud Functions构建一个http端点。我将加密的机密存储为文件,并在函数中对其进行了加载和解密,以防止我的机密存储在代码中。通常,我会动态地从Google Cloud Storage中加载某些内容,但似乎KMS更适合用于此目的。
使用KMS的代码如下:
getCredentials: async function () {
const kms = require('@google-cloud/kms');
const client = new kms.KeyManagementServiceClient();
const fs = require('fs');
let ciphertext = (fs.readFileSync('secret.enc')).toString('base64')
const name = client.cryptoKeyPath(
'[project]',
'global',
'[keyring]',
'[key]'
);
一切在本地运行都很好,但是当使用http触发器调用时,我似乎无法使该函数正常工作。查看日志,我看到了:
textPayload: "Error: Permission 'cloudkms.cryptoKeyVersions.useToDecrypt' denied for resource 'projects/[projectname]/locations/global/keyRings/[keyring]/cryptoKeys/[key]'.
at Http2CallStream.call.on (/srv/functions/node_modules/@grpc/grpc-js/build/src/client.js:96:45)
at Http2CallStream.emit (events.js:194:15)
at Http2CallStream.EventEmitter.emit (domain.js:459:23)
at process.nextTick (/srv/functions/node_modules/@grpc/grpc-js/build/src/call-stream.js:71:22)
at process._tickCallback (internal/process/next_tick.js:61:11)"
我已经尝试了各种IAM权限(包括所有者),但似乎无济于事。
这可能与我遇到的另一个问题有关,即我无法通过Google Cloud Build部署该功能。没有帮助就会出错:
starting build "b2321cdb-bd4c-4828-8d38-80a86f4fe808"
FETCHSOURCE
Initialized empty Git repository in /workspace/.git/
From https://source.developers.google.com/p/[projectname]/r/[repo]
* branch 314691d6e63199caf867c74bcd0090bc70386a0e -> FETCH_HEAD
HEAD is now at 314691d Merge pull request #2 from [repo]/tristans/update-deploy-cloudbuild
BUILD
Already have image (with digest): gcr.io/cloud-builders/gcloud
Deploying function (may take a while - up to 2 minutes)...
...............failed.
ERROR: (gcloud.functions.deploy) OperationError: code=3, message=Build failed: Build error details not available
ERROR
ERROR: build step 0 "gcr.io/cloud-builders/gcloud" failed: exit status 1
似乎不需要任何KMS权限来部署functions deploy name --trigger-http --runtime=nodejs10 --entry-point=fname --project=project
,而且就像我说的那样,当我在本地运行gcloud deploy
时,它可以很好地工作,所以我不确定为什么会失败。我们有几个具有类似部署过程的云功能,因此关于KMS的工作方式似乎不明显或不完整,这使我受益匪浅,但也许是个麻烦。
如果有一种更好的方法可以将KMS用于此目的,我全神贯注!
答案 0 :(得分:0)
每个Google Functions docs,函数的运行时服务帐户为import UIKit
class ViewController: UIViewController {
var count: Int = 0
var ht = -90
var ww = 80
var moveCounter = 0
var counter = 0
var arrTextFields = [UIImageView]()
var b7 = UIButton()
var sx = UISlider()
override func viewDidLoad() {
super.viewDidLoad()
[b7,sx].forEach {
$0.translatesAutoresizingMaskIntoConstraints = false
view.addSubview($0)
$0.backgroundColor = .systemOrange
}
b7.frame = CGRect(x: view.center.x-115, y: view.center.y + 200, width: 70, height: 40)
sx.frame = CGRect(x: view.center.x-115, y: view.center.y - 200, width: 70, height: 40)
b7.addTarget(self, action: #selector(addBOx), for: .touchUpInside)
}
//Uses slider sx to change ww to effect the width of the imageview selected
@objc func imageViewTapped(sender: UITapGestureRecognizer) {
if let imageView = sender.view as? UIImageView {
// Change the imageView's background here
imageView.backgroundColor = UIColor.systemGray
}
}
//func that adds imageview.
@objc func addBOx() {
let subview = UIImageView()
let gestureRecognizer = UITapGestureRecognizer(target: self, action: #selector(imageViewTapped))
subview.addGestureRecognizer(gestureRecognizer)
subview.isUserInteractionEnabled = true
arrTextFields.append(subview)
view.addSubview(subview)
subview.frame = CGRect(x: view.bounds.midX - 0, y: view.bounds.midY + CGFloat(ht), width: CGFloat(ww), height: 35)
subview.backgroundColor = .purple
subview.tag = count
count += 1
ht += 50
arrTextFields.append(subview)
}}
您需要为此帐户授予KMS解密权限。
可以在Google云网络控制台的“ IAM&Admin / IAM”部分中完成