| package main | |
| /* | |
| Client-side BQ AEAD Encryption | |
| Sample that encrypts data client side and uses BigQuery streaming insert. | |
| The data is encrypted and is compatible with BQ AEAD functions | |
| https://cloud.google.com/bigquery/docs/reference/standard-sql/aead_encryption_functions |
| curl -s https://httpbin.org/get | jq -r '.origin' | |
| 1.2.3.4 |
| # snippet uses ADC credentials to impersonate generic-server@project.iam.gserviceaccount.com | |
| # then use that server's credentials to create a token for user2 using domain delegation | |
| # after that, the gcs and pubsub calls are done as if its user2 | |
| import google.auth | |
| import time | |
| from google.auth import credentials | |
| from google.cloud import iam_credentials_v1 |
| # snippet uses ADC credentials to impersonate generic-server@project.iam.gserviceaccount.com | |
| # then use that server's credentials to create a token for user2 using domain delegation | |
| # after that, the gcs and pubsub calls are done as if its user2 | |
| import google.auth | |
| import time | |
| from google.auth import credentials | |
| from google.cloud import iam_credentials_v1 | |
| from google.auth import impersonated_credentials |
| ## StaticCredentials should be in google.auth. | |
| # sc = StaticCredentials(token=access_token,expires_in=expires_in,token_type=token_type) | |
| # from google.cloud import storage | |
| # client = storage.Client(project=project, credentials=sc) | |
| # for b in client.list_buckets(): | |
| # print(b.name) |
given a key of type
gcloud kms keys list --keyring=mykeyring --location=us-central1
projects/mineral-minutia-820/locations/us-central1/keyRings/mykeyring/cryptoKeys/dlp ASYMMETRIC_DECRYPT RSA_DECRYPT_OAEP_2048_SHA1 SOFTWARE
gcloud kms keys versions get-public-key 1 --key dlp --keyring=mykeyring --location=us-central1 > key.pub
| package main | |
| import ( | |
| "context" | |
| "fmt" | |
| "io" | |
| "os" | |
| "cloud.google.com/go/storage" |
| export DISCOVERY_URL="https://e782-72-83-67-174.ngrok.io" | |
| minikube start --driver=kvm2 --feature-gates=ServiceAccountIssuerDiscovery=true \ | |
| --extra-config=apiserver.service-account-jwks-uri=$DISCOVERY_URL/openid/v1/jwks \ | |
| --extra-config=apiserver.service-account-issuer=$DISCOVERY_URL | |
| # enable the cluster role bindng to expose the discovery server | |
| kubectl create clusterrolebinding oidc-reviewer --clusterrole=system:service-account-issuer-discovery --group=system:unauthenticated |
| curl -s $DISCOVERY_URL/.well-known/openid-configuration | jq '.' | |
| { | |
| "issuer": "https://e782-72-83-67-174.ngrok.io", | |
| "jwks_uri": "https://e782-72-83-67-174.ngrok.io/openid/v1/jwks", | |
| "response_types_supported": [ | |
| "id_token" | |
| ], | |
| "subject_types_supported": [ | |
| "public" | |
| ], |
| $ kubectl get po | |
| NAME READY STATUS RESTARTS AGE | |
| myapp-deployment-86d84cff8f-ckljb 1/1 Running 0 26s | |
| myapp-deployment-86d84cff8f-nkshd 1/1 Running 0 26s | |
| $ kubectl exec -ti myapp-deployment-86d84cff8f-ckljb cat /var/run/secrets/iot-token/iot-token | |
| eyJhbGciOiJSUzI1NiIsImtpZCI6IkFUaUdaN2Y2ZTRfMlFtOG5lQWhQeFlEVnlmRkpEQzNTUV9JNFFIdFgzbjgifQ.eyJhdWQiOlsiZ2NwLXN0cy1hdWRpZW5jZSJdLCJleHAiOjE2MzQ5MTY2MDAsImlhdCI6MTYzNDkwOTQwMCwiaXNzIjoiaHR0cHM6Ly9lNzgyLTcyLTgzLTY3LTE3NC5uZ3Jvay5pbyIsImt1YmVybmV0ZXMuaW8iOnsibmFtZXNwYWNlIjoiZGVmYXVsdCIsInBvZCI6eyJuYW1lIjoibXlhcHAtZGVwbG95bWVudC04NmQ4NGNmZjhmLWNrbGpiIiwidWlkIjoiY2JhNTVlZGMtYmMwOC00YjVkLWJmZTEtYzBhMTA5YWVkYjVmIn0sInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJzdmMxLXNhIiwidWlkIjoiZTQxNmE5OTEtNmE2Ni00ODc3LWJhMjYtYTk3YTYwZjQ0ZjIyIn19LCJuYmYiOjE2MzQ5MDk0MDAsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnN2YzEtc2EifQ.mFf5VEdeFXhi2I7tYN5ORToKeEPlnRW3uNPUGEkcozMtNAGVrL0bRKm7eaQHWilpdxFJ3gjN7RjHOqP0e-4dsHl_zE2S |