Skip to content

Instantly share code, notes, and snippets.

@salrashid123
salrashid123 / main.go
Last active Jan 13, 2022
Google BigQuery Client-side AEAD Encryption
View main.go
package main
/*
Client-side BQ AEAD Encryption
Sample that encrypts data client side and uses BigQuery streaming insert.
The data is encrypted and is compatible with BQ AEAD functions
https://cloud.google.com/bigquery/docs/reference/standard-sql/aead_encryption_functions
@salrashid123
salrashid123 / curl.sh
Created Dec 23, 2021
What is my IP using cli tools (curl)
View curl.sh
curl -s https://httpbin.org/get | jq -r '.origin'
1.2.3.4
@salrashid123
salrashid123 / main.py
Created Dec 21, 2021
google-auth python. Impersonate and domain-delegate using iam_credentials_v1.IAMCredentialsClient
View main.py
# snippet uses ADC credentials to impersonate generic-server@project.iam.gserviceaccount.com
# then use that server's credentials to create a token for user2 using domain delegation
# after that, the gcs and pubsub calls are done as if its user2
import google.auth
import time
from google.auth import credentials
from google.cloud import iam_credentials_v1
@salrashid123
salrashid123 / main.py
Last active Dec 21, 2021
google-auth python. Impersonate and domain-delegate using impersonated_credentials
View main.py
# snippet uses ADC credentials to impersonate generic-server@project.iam.gserviceaccount.com
# then use that server's credentials to create a token for user2 using domain delegation
# after that, the gcs and pubsub calls are done as if its user2
import google.auth
import time
from google.auth import credentials
from google.cloud import iam_credentials_v1
from google.auth import impersonated_credentials
@salrashid123
salrashid123 / static_credentials.py
Created Dec 20, 2021
google.auth.StaticCredentils
View static_credentials.py
## StaticCredentials should be in google.auth.
# sc = StaticCredentials(token=access_token,expires_in=expires_in,token_type=token_type)
# from google.cloud import storage
# client = storage.Client(project=project, credentials=sc)
# for b in client.list_buckets():
# print(b.name)
@salrashid123
salrashid123 / kms_rsa.md
Created Dec 16, 2021
Encrypt/Decrypt using RSA openssl and GCP Cloud KMS
View kms_rsa.md

given a key of type

gcloud kms keys list --keyring=mykeyring --location=us-central1
   projects/mineral-minutia-820/locations/us-central1/keyRings/mykeyring/cryptoKeys/dlp            ASYMMETRIC_DECRYPT  RSA_DECRYPT_OAEP_2048_SHA1    SOFTWARE
gcloud kms keys versions get-public-key 1 --key dlp --keyring=mykeyring --location=us-central1 > key.pub
@salrashid123
salrashid123 / main.go
Last active Dec 8, 2021
Google Cloud Storage Downscope tokens api in go
View main.go
package main
import (
"context"
"fmt"
"io"
"os"
"cloud.google.com/go/storage"
View k8s_wif_14.txt
export DISCOVERY_URL="https://e782-72-83-67-174.ngrok.io"
minikube start --driver=kvm2 --feature-gates=ServiceAccountIssuerDiscovery=true \
--extra-config=apiserver.service-account-jwks-uri=$DISCOVERY_URL/openid/v1/jwks \
--extra-config=apiserver.service-account-issuer=$DISCOVERY_URL
# enable the cluster role bindng to expose the discovery server
kubectl create clusterrolebinding oidc-reviewer --clusterrole=system:service-account-issuer-discovery --group=system:unauthenticated
View k8s_ngrok.txt
curl -s $DISCOVERY_URL/.well-known/openid-configuration | jq '.'
{
"issuer": "https://e782-72-83-67-174.ngrok.io",
"jwks_uri": "https://e782-72-83-67-174.ngrok.io/openid/v1/jwks",
"response_types_supported": [
"id_token"
],
"subject_types_supported": [
"public"
],
View k8s_wif_11.txt
$ kubectl get po
NAME READY STATUS RESTARTS AGE
myapp-deployment-86d84cff8f-ckljb 1/1 Running 0 26s
myapp-deployment-86d84cff8f-nkshd 1/1 Running 0 26s
$ kubectl exec -ti myapp-deployment-86d84cff8f-ckljb cat /var/run/secrets/iot-token/iot-token
eyJhbGciOiJSUzI1NiIsImtpZCI6IkFUaUdaN2Y2ZTRfMlFtOG5lQWhQeFlEVnlmRkpEQzNTUV9JNFFIdFgzbjgifQ.eyJhdWQiOlsiZ2NwLXN0cy1hdWRpZW5jZSJdLCJleHAiOjE2MzQ5MTY2MDAsImlhdCI6MTYzNDkwOTQwMCwiaXNzIjoiaHR0cHM6Ly9lNzgyLTcyLTgzLTY3LTE3NC5uZ3Jvay5pbyIsImt1YmVybmV0ZXMuaW8iOnsibmFtZXNwYWNlIjoiZGVmYXVsdCIsInBvZCI6eyJuYW1lIjoibXlhcHAtZGVwbG95bWVudC04NmQ4NGNmZjhmLWNrbGpiIiwidWlkIjoiY2JhNTVlZGMtYmMwOC00YjVkLWJmZTEtYzBhMTA5YWVkYjVmIn0sInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJzdmMxLXNhIiwidWlkIjoiZTQxNmE5OTEtNmE2Ni00ODc3LWJhMjYtYTk3YTYwZjQ0ZjIyIn19LCJuYmYiOjE2MzQ5MDk0MDAsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnN2YzEtc2EifQ.mFf5VEdeFXhi2I7tYN5ORToKeEPlnRW3uNPUGEkcozMtNAGVrL0bRKm7eaQHWilpdxFJ3gjN7RjHOqP0e-4dsHl_zE2S