Created
March 3, 2023 06:21
-
-
Save Ningensei848/d2ef194a5d5506aabaaa38de33423638 to your computer and use it in GitHub Desktop.
Access_secret_in_colaboratory.ipynb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"nbformat": 4, | |
"nbformat_minor": 0, | |
"metadata": { | |
"colab": { | |
"private_outputs": true, | |
"provenance": [], | |
"include_colab_link": true | |
}, | |
"kernelspec": { | |
"name": "python3", | |
"display_name": "Python 3" | |
}, | |
"language_info": { | |
"name": "python" | |
}, | |
"gpuClass": "standard" | |
}, | |
"cells": [ | |
{ | |
"cell_type": "markdown", | |
"metadata": { | |
"id": "view-in-github", | |
"colab_type": "text" | |
}, | |
"source": [ | |
"<a href=\"https://colab.research.google.com/gist/Ningensei848/d2ef194a5d5506aabaaa38de33423638/access_secret_in_colaboratory.ipynb\" target=\"_parent\"><img src=\"https://colab.research.google.com/assets/colab-badge.svg\" alt=\"Open In Colab\"/></a>" | |
] | |
}, | |
{ | |
"cell_type": "markdown", | |
"source": [ | |
"\n", | |
"## 前提条件:\n", | |
"\n", | |
"ユーザアカウント(任意のGoogle アカウント)に対して、Secret Manager の 「Secret Manager のシークレット アクセサー」権限を付与しておく\n", | |
"\n", | |
"> GCP >> IAM と管理 >> IAM >> \\[アクセス権を付与\\] >> \\[プリンシパルの追加\\] >> \\[ロールを割り当てる\\] >> \\[保存\\]\n", | |
"\n", | |
"- プリンシパルには Google アカウントのメアドを、ロールには `roles/secretmanager.secretAccessor` のみを選択\n", | |
"\n", | |
"\n", | |
"## この notebook でやっていることの説明\n", | |
"\n", | |
"\n", | |
"### 1. Colab 上で「ユーザアカウント」の認証\n", | |
"\n", | |
"colab 側で操作し、「ユーザアカウント」の認証を行なう\n", | |
"\n", | |
"(この際、\\[前提条件\\]で追加した Google アカウント でログインすること)\n", | |
"\n", | |
"```lang:python\n", | |
"from google.colab import auth\n", | |
"\n", | |
"auth.authenticate_user() # 初回は別ウィンドウが開くので認証する\n", | |
"```\n", | |
"\n", | |
"### 2. Secret Manager に接続\n", | |
"\n", | |
"正しく権限があたえられていれば、1で認証した Google アカウントは Secret Manager から秘密情報を読み出すことができる\n", | |
"\n", | |
"(`google_crc32c` では、レスポンスが正しいか検証している)\n", | |
"\n", | |
"```lang:python\n", | |
"import google_crc32c\n", | |
"from google.cloud import secretmanager\n", | |
"```\n", | |
"\n", | |
"### 3. 「サービスアカウント」として、GCPに接続する\n", | |
"\n", | |
"得られた秘密情報を使用して、「サービスアカウント」を認証する\n", | |
"\n", | |
"```\n", | |
"import json\n", | |
"from google.oauth2 import service_account\n", | |
"```\n", | |
"\n", | |
"\n", | |
"**完了!**\n", | |
"\n", | |
"\n" | |
], | |
"metadata": { | |
"id": "qApFaTMQyB7f" | |
} | |
}, | |
{ | |
"cell_type": "code", | |
"execution_count": null, | |
"metadata": { | |
"id": "yyyimdStj3dH" | |
}, | |
"outputs": [], | |
"source": [ | |
"\n", | |
"# プロジェクト ID は数値が与えられているが、プロジェクト名でも問題なく実行できる\n", | |
"\n", | |
"PROJECT_ID = \"\" # @param {type:\"string\"}\n", | |
"SECRET_ID = \"\" # @param {type:\"string\"}\n" | |
] | |
}, | |
{ | |
"cell_type": "code", | |
"source": [ | |
"\n", | |
"!pip install google-cloud-secret-manager google-crc32c\n" | |
], | |
"metadata": { | |
"id": "P_tmBQQrx5qx" | |
}, | |
"execution_count": null, | |
"outputs": [] | |
}, | |
{ | |
"cell_type": "code", | |
"source": [ | |
"\n", | |
"# 前提条件:ユーザアカウントに対して、Secret Manager の 「Secret Manager のシークレット アクセサー」権限を付与しておく\n", | |
"# GCP >> IAM と管理 >> IAM >> アクセス権を付与 >> プリンシパルの追加 >> ロールを割り当てる >> 保存\n", | |
"# プリンシパルには Google アカウントのメアドを、ロールには `roles/secretmanager.secretAccessor` のみを選択\n", | |
"\n", | |
"\n", | |
"# colab 側で操作し、「ユーザアカウント」の認証を行なう\n", | |
"# ↑で追加したGoogle アカウントでログインすること\n", | |
"from google.colab import auth\n", | |
"\n", | |
"\n", | |
"# Secret Manager に接続し、レスポンスが正しいか検証する(チェックサムでよしなにやってくれる)\n", | |
"import google_crc32c\n", | |
"from google.cloud import secretmanager\n", | |
"\n", | |
"# 再度「サービスアカウント」として、GCPに接続する\n", | |
"import json\n", | |
"from google.oauth2 import service_account\n", | |
"\n", | |
"# 完了!\n" | |
], | |
"metadata": { | |
"id": "WqVb-ueZx8YB" | |
}, | |
"execution_count": null, | |
"outputs": [] | |
}, | |
{ | |
"cell_type": "code", | |
"source": [ | |
"\n", | |
"# colab は GCE で動いているので、「利用者が誰であるか」を別途認識してから出ないと動かない(?)\n", | |
"# cf. https://zenn.dev/hattan0523/articles/9be93149ac0754\n", | |
"auth.authenticate_user()\n" | |
], | |
"metadata": { | |
"id": "Q8DX_KUV0KZj" | |
}, | |
"execution_count": null, | |
"outputs": [] | |
}, | |
{ | |
"cell_type": "code", | |
"source": [ | |
"\n", | |
"# cf. https://cloud.google.com/secret-manager/docs/samples/secretmanager-access-secret-version\n", | |
"def access_secret_version(project_id: str, secret_id: str, version_id: str = \"latest\") -> str:\n", | |
" \"\"\"\n", | |
" Access the payload for the given secret version if one exists. The version\n", | |
" can be a version number as a string (e.g. \"5\") or an alias (e.g. \"latest\").\n", | |
"\n", | |
" # Import the Secret Manager client library.\n", | |
" from google.cloud import secretmanager\n", | |
" \"\"\"\n", | |
"\n", | |
" # Create the Secret Manager client.\n", | |
" client = secretmanager.SecretManagerServiceClient()\n", | |
"\n", | |
" # Build the resource name of the secret version.\n", | |
" name = f\"projects/{project_id}/secrets/{secret_id}/versions/{version_id}\"\n", | |
"\n", | |
" # Access the secret version.\n", | |
" response = client.access_secret_version(request={\"name\": name})\n", | |
"\n", | |
" # Verify payload checksum.\n", | |
" crc32c = google_crc32c.Checksum()\n", | |
" crc32c.update(response.payload.data)\n", | |
" if response.payload.data_crc32c != int(crc32c.hexdigest(), 16):\n", | |
" print(\"Data corruption detected.\")\n", | |
" return response\n", | |
"\n", | |
" # Print the secret payload.\n", | |
" #\n", | |
" # WARNING: Do not print the secret in a production environment - this\n", | |
" # snippet is showing how to access the secret material.\n", | |
" payload = response.payload.data.decode(\"UTF-8\")\n", | |
" # print(\"Plaintext: {}\".format(payload))\n", | |
"\n", | |
" return payload\n" | |
], | |
"metadata": { | |
"id": "BMSz8KNG0M6w" | |
}, | |
"execution_count": null, | |
"outputs": [] | |
}, | |
{ | |
"cell_type": "code", | |
"source": [ | |
"\n", | |
"cred_json = json.loads(access_secret_version(PROJECT_ID, SECRET_ID))\n", | |
"\n", | |
"print(json.dumps(cred_json, indent=2, ensure_ascii=False))\n" | |
], | |
"metadata": { | |
"id": "ObsHbP8u0Q-D" | |
}, | |
"execution_count": null, | |
"outputs": [] | |
}, | |
{ | |
"cell_type": "code", | |
"source": [ | |
"\n", | |
"# 以下の部分を credentials を `from_service_account_file()` ではなく、\n", | |
"# `from_service_account_info()` に置き換えればよい(ローカルのファイルに依存しなくて済む)\n", | |
"\n", | |
"credentials = service_account.Credentials.from_service_account_info(cred_json)\n", | |
"\n" | |
], | |
"metadata": { | |
"id": "75USEGdQ0mFl" | |
}, | |
"execution_count": null, | |
"outputs": [] | |
} | |
] | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment