资源...密钥的权限'cloudkms.cryptoKeyVersions.useToDecrypt'被拒绝

Question

我正在使用Google Cloud Functions构建一个http端点。我将加密的机密存储为文件，并在函数中对其进行了加载和解密，以防止我的机密存储在代码中。通常，我会动态地从Google Cloud Storage中加载某些内容，但似乎KMS更适合用于此目的。

使用KMS的代码如下：

getCredentials: async function () {
    const kms = require('@google-cloud/kms');
    const client = new kms.KeyManagementServiceClient();
    const fs = require('fs');
    let ciphertext = (fs.readFileSync('secret.enc')).toString('base64')
    const name = client.cryptoKeyPath(
      '[project]',
      'global',
      '[keyring]',
      '[key]'
    );

一切在本地运行都很好，但是当使用http触发器调用时，我似乎无法使该函数正常工作。查看日志，我看到了：

textPayload:  "Error: Permission 'cloudkms.cryptoKeyVersions.useToDecrypt' denied for resource 'projects/[projectname]/locations/global/keyRings/[keyring]/cryptoKeys/[key]'.
    at Http2CallStream.call.on (/srv/functions/node_modules/@grpc/grpc-js/build/src/client.js:96:45)
    at Http2CallStream.emit (events.js:194:15)
    at Http2CallStream.EventEmitter.emit (domain.js:459:23)
    at process.nextTick (/srv/functions/node_modules/@grpc/grpc-js/build/src/call-stream.js:71:22)
    at process._tickCallback (internal/process/next_tick.js:61:11)" 

我已经尝试了各种IAM权限（包括所有者），但似乎无济于事。

这可能与我遇到的另一个问题有关，即我无法通过Google Cloud Build部署该功能。没有帮助就会出错：

starting build "b2321cdb-bd4c-4828-8d38-80a86f4fe808"

FETCHSOURCE
Initialized empty Git repository in /workspace/.git/
From https://source.developers.google.com/p/[projectname]/r/[repo]
* branch 314691d6e63199caf867c74bcd0090bc70386a0e -> FETCH_HEAD
HEAD is now at 314691d Merge pull request #2 from [repo]/tristans/update-deploy-cloudbuild
BUILD
Already have image (with digest): gcr.io/cloud-builders/gcloud
Deploying function (may take a while - up to 2 minutes)...
...............failed.
ERROR: (gcloud.functions.deploy) OperationError: code=3, message=Build failed: Build error details not available
ERROR
ERROR: build step 0 "gcr.io/cloud-builders/gcloud" failed: exit status 1

似乎不需要任何KMS权限来部署functions deploy name --trigger-http --runtime=nodejs10 --entry-point=fname --project=project，而且就像我说的那样，当我在本地运行gcloud deploy时，它可以很好地工作，所以我不确定为什么会失败。我们有几个具有类似部署过程的云功能，因此关于KMS的工作方式似乎不明显或不完整，这使我受益匪浅，但也许是个麻烦。

如果有一种更好的方法可以将KMS用于此目的，我全神贯注！

Answer 1

每个Google Functions docs，函数的运行时服务帐户为import UIKit class ViewController: UIViewController { var count: Int = 0 var ht = -90 var ww = 80 var moveCounter = 0 var counter = 0 var arrTextFields = [UIImageView]() var b7 = UIButton() var sx = UISlider() override func viewDidLoad() { super.viewDidLoad() [b7,sx].forEach { $0.translatesAutoresizingMaskIntoConstraints = false view.addSubview($0) $0.backgroundColor = .systemOrange } b7.frame = CGRect(x: view.center.x-115, y: view.center.y + 200, width: 70, height: 40) sx.frame = CGRect(x: view.center.x-115, y: view.center.y - 200, width: 70, height: 40) b7.addTarget(self, action: #selector(addBOx), for: .touchUpInside) } //Uses slider sx to change ww to effect the width of the imageview selected @objc func imageViewTapped(sender: UITapGestureRecognizer) { if let imageView = sender.view as? UIImageView { // Change the imageView's background here imageView.backgroundColor = UIColor.systemGray } } //func that adds imageview. @objc func addBOx() { let subview = UIImageView() let gestureRecognizer = UITapGestureRecognizer(target: self, action: #selector(imageViewTapped)) subview.addGestureRecognizer(gestureRecognizer) subview.isUserInteractionEnabled = true arrTextFields.append(subview) view.addSubview(subview) subview.frame = CGRect(x: view.bounds.midX - 0, y: view.bounds.midY + CGFloat(ht), width: CGFloat(ww), height: 35) subview.backgroundColor = .purple subview.tag = count count += 1 ht += 50 arrTextFields.append(subview) }}
您需要为此帐户授予KMS解密权限。
可以在Google云网络控制台的“ IAM＆Admin / IAM”部分中完成