Skip to content

Instantly share code, notes, and snippets.

@Ningensei848

Ningensei848/access_secret_in_colaboratory.ipynb

Created March 3, 2023 06:21
Show Gist options
  • Save Ningensei848/d2ef194a5d5506aabaaa38de33423638 to your computer and use it in GitHub Desktop.
Save Ningensei848/d2ef194a5d5506aabaaa38de33423638 to your computer and use it in GitHub Desktop.
Download ZIP
Access_secret_in_colaboratory.ipynb
Display the source blob
Display the rendered blob
Raw
access_secret_in_colaboratory.ipynb
{
"nbformat": 4,
"nbformat_minor": 0,
"metadata": {
"colab": {
"private_outputs": true,
"provenance": [],
"include_colab_link": true
},
"kernelspec": {
"name": "python3",
"display_name": "Python 3"
},
"language_info": {
"name": "python"
},
"gpuClass": "standard"
},
"cells": [
{
"cell_type": "markdown",
"metadata": {
"id": "view-in-github",
"colab_type": "text"
},
"source": [
"<a href=\"https://colab.research.google.com/gist/Ningensei848/d2ef194a5d5506aabaaa38de33423638/access_secret_in_colaboratory.ipynb\" target=\"_parent\"><img src=\"https://colab.research.google.com/assets/colab-badge.svg\" alt=\"Open In Colab\"/></a>"
]
},
{
"cell_type": "markdown",
"source": [
"\n",
"## 前提条件:\n",
"\n",
"ユーザアカウント(任意のGoogle アカウント)に対して、Secret Manager の 「Secret Manager のシークレット アクセサー」権限を付与しておく\n",
"\n",
"> GCP >> IAM と管理 >> IAM >> \\[アクセス権を付与\\] >> \\[プリンシパルの追加\\] >> \\[ロールを割り当てる\\] >> \\[保存\\]\n",
"\n",
"- プリンシパルには Google アカウントのメアドを、ロールには `roles/secretmanager.secretAccessor` のみを選択\n",
"\n",
"\n",
"## この notebook でやっていることの説明\n",
"\n",
"\n",
"### 1. Colab 上で「ユーザアカウント」の認証\n",
"\n",
"colab 側で操作し、「ユーザアカウント」の認証を行なう\n",
"\n",
"(この際、\\[前提条件\\]で追加した Google アカウント でログインすること)\n",
"\n",
"```lang:python\n",
"from google.colab import auth\n",
"\n",
"auth.authenticate_user() # 初回は別ウィンドウが開くので認証する\n",
"```\n",
"\n",
"### 2. Secret Manager に接続\n",
"\n",
"正しく権限があたえられていれば、1で認証した Google アカウントは Secret Manager から秘密情報を読み出すことができる\n",
"\n",
"(`google_crc32c` では、レスポンスが正しいか検証している)\n",
"\n",
"```lang:python\n",
"import google_crc32c\n",
"from google.cloud import secretmanager\n",
"```\n",
"\n",
"### 3. 「サービスアカウント」として、GCPに接続する\n",
"\n",
"得られた秘密情報を使用して、「サービスアカウント」を認証する\n",
"\n",
"```\n",
"import json\n",
"from google.oauth2 import service_account\n",
"```\n",
"\n",
"\n",
"**完了!**\n",
"\n",
"\n"
],
"metadata": {
"id": "qApFaTMQyB7f"
}
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {
"id": "yyyimdStj3dH"
},
"outputs": [],
"source": [
"\n",
"# プロジェクト ID は数値が与えられているが、プロジェクト名でも問題なく実行できる\n",
"\n",
"PROJECT_ID = \"\" # @param {type:\"string\"}\n",
"SECRET_ID = \"\" # @param {type:\"string\"}\n"
]
},
{
"cell_type": "code",
"source": [
"\n",
"!pip install google-cloud-secret-manager google-crc32c\n"
],
"metadata": {
"id": "P_tmBQQrx5qx"
},
"execution_count": null,
"outputs": []
},
{
"cell_type": "code",
"source": [
"\n",
"# 前提条件:ユーザアカウントに対して、Secret Manager の 「Secret Manager のシークレット アクセサー」権限を付与しておく\n",
"# GCP >> IAM と管理 >> IAM >> アクセス権を付与 >> プリンシパルの追加 >> ロールを割り当てる >> 保存\n",
"# プリンシパルには Google アカウントのメアドを、ロールには `roles/secretmanager.secretAccessor` のみを選択\n",
"\n",
"\n",
"# colab 側で操作し、「ユーザアカウント」の認証を行なう\n",
"# ↑で追加したGoogle アカウントでログインすること\n",
"from google.colab import auth\n",
"\n",
"\n",
"# Secret Manager に接続し、レスポンスが正しいか検証する(チェックサムでよしなにやってくれる)\n",
"import google_crc32c\n",
"from google.cloud import secretmanager\n",
"\n",
"# 再度「サービスアカウント」として、GCPに接続する\n",
"import json\n",
"from google.oauth2 import service_account\n",
"\n",
"# 完了!\n"
],
"metadata": {
"id": "WqVb-ueZx8YB"
},
"execution_count": null,
"outputs": []
},
{
"cell_type": "code",
"source": [
"\n",
"# colab は GCE で動いているので、「利用者が誰であるか」を別途認識してから出ないと動かない(?)\n",
"# cf. https://zenn.dev/hattan0523/articles/9be93149ac0754\n",
"auth.authenticate_user()\n"
],
"metadata": {
"id": "Q8DX_KUV0KZj"
},
"execution_count": null,
"outputs": []
},
{
"cell_type": "code",
"source": [
"\n",
"# cf. https://cloud.google.com/secret-manager/docs/samples/secretmanager-access-secret-version\n",
"def access_secret_version(project_id: str, secret_id: str, version_id: str = \"latest\") -> str:\n",
" \"\"\"\n",
" Access the payload for the given secret version if one exists. The version\n",
" can be a version number as a string (e.g. \"5\") or an alias (e.g. \"latest\").\n",
"\n",
" # Import the Secret Manager client library.\n",
" from google.cloud import secretmanager\n",
" \"\"\"\n",
"\n",
" # Create the Secret Manager client.\n",
" client = secretmanager.SecretManagerServiceClient()\n",
"\n",
" # Build the resource name of the secret version.\n",
" name = f\"projects/{project_id}/secrets/{secret_id}/versions/{version_id}\"\n",
"\n",
" # Access the secret version.\n",
" response = client.access_secret_version(request={\"name\": name})\n",
"\n",
" # Verify payload checksum.\n",
" crc32c = google_crc32c.Checksum()\n",
" crc32c.update(response.payload.data)\n",
" if response.payload.data_crc32c != int(crc32c.hexdigest(), 16):\n",
" print(\"Data corruption detected.\")\n",
" return response\n",
"\n",
" # Print the secret payload.\n",
" #\n",
" # WARNING: Do not print the secret in a production environment - this\n",
" # snippet is showing how to access the secret material.\n",
" payload = response.payload.data.decode(\"UTF-8\")\n",
" # print(\"Plaintext: {}\".format(payload))\n",
"\n",
" return payload\n"
],
"metadata": {
"id": "BMSz8KNG0M6w"
},
"execution_count": null,
"outputs": []
},
{
"cell_type": "code",
"source": [
"\n",
"cred_json = json.loads(access_secret_version(PROJECT_ID, SECRET_ID))\n",
"\n",
"print(json.dumps(cred_json, indent=2, ensure_ascii=False))\n"
],
"metadata": {
"id": "ObsHbP8u0Q-D"
},
"execution_count": null,
"outputs": []
},
{
"cell_type": "code",
"source": [
"\n",
"# 以下の部分を credentials を `from_service_account_file()` ではなく、\n",
"# `from_service_account_info()` に置き換えればよい(ローカルのファイルに依存しなくて済む)\n",
"\n",
"credentials = service_account.Credentials.from_service_account_info(cred_json)\n",
"\n"
],
"metadata": {
"id": "75USEGdQ0mFl"
},
"execution_count": null,
"outputs": []
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment