I want to import the encryption key to GCP "key-management" currently the key is on my GCP storage. are there any steps to import to GCP key-management without affecting the operation? if any on did before. thanks!!!
I found this video useful.
In GCP documentation they recommended that you create a new project to test this feature, to ease clean-up after testing and to ensure that you have adequate IAM permissions to import a key.
Related
I have googled quite heavily the last couple of hours to see if I could use Google Secret Manager from an external service like AWS Lambda or my local PC. I could not find anything helpful, or something that describes properly the steps to do so.
I do not want to play with the APIs and end up doing the authenticating via OAuth myself, I wish to use the client library. How would I go about doing so?
I have so far referred to the following links:
https://cloud.google.com/secret-manager/docs/configuring-secret-manager - Describes setting up secret manager, and prompts you to set up Google Cloud SDK.
https://cloud.google.com/sdk/docs/initializing - Describes setting up the cloud SDK (doesn't seem like I get some kind of config file that helps me to point my client library to the correct GCP project)
The issue I have is that it doesn't seem like I get access to some form of credential that I can use with the client library that consumes the secret manager service of a particular GCP project. Something like a service account token or a means of authenticating and consuming the service from an external environment.
Any help is appreciated, it just feels like I'm missing something. Or is it simply impossible to do so?
PS: Why am I using GCP secret manager when AWS offers a similar service? The latter is too expensive.
I think that your question applies to all GCP services, there isn't anything that is specific to Secret Manager.
As you mentioned, https://cloud.google.com/docs/authentication/getting-started documents how to create and use a Service Account. But this approach has the downside that now you need to figure out to store the service account key (yet another Secret!)
If you're planning to access GCP Secret Manager from AWS you can consider using: https://cloud.google.com/iam/docs/configuring-workload-identity-federation#aws which uses identity federation to map an AWS service account to a GCP service account, without the need to store an extra Secret somewhere.
Is it possible to do local development without using google service account key in minikube.
Currently I have a service account key which I use to authenticate google services inside the pod in minikube.
I want to avoid using service account key and instead use IAM role.
Iam User - XXX#XX.com
I am given required role/permission to this iam user.
After using gcloud auth login, I can access the google services. Is it possible to do similar way in k8s/minikube pods.
I think that you can cheat. Use it only for development environment, never in production
Firstly, locate your own user credentials created with the gcloud auth application-default login. The created file is
on linux ~/.config/gcloud/application_default_credentials.json
on windows %appdata%\gcloud\application_default_credentials.json
Then mount this file (or copy it) into minikube
You can define your GOOGLE_APPLICATION_CREDENTIALS env var to reference this file.
That's all, your credential will be used! Be careful, there is some limitation, I wrote an article on this
I think you are mixing things up. You can never use a key instead of a role. In most cases, you need both of them. You need a key to authenticate to the Google Cloud Platform. And you need a certain IAM role to access services within GCP. Authentication means confirming your own identity, whereas authorization means being allowed access to the system.
In your specific case, I think you are referring to the process of letting your application/code use your own identity to authentication to the Google Cloud Platform. There are 2 possibilities here:
Download a service account key file, which is prone to security leaks, because those key files are not rotated by themselves.
As #guillaume blaquiere explains below, you could also generate a key file using your own identity. The specifics about this are well explained here and here. For local development, this is preferred over the other option.
If you want to know how your SDK works with key files, I would recommend you take a look inside the SDK for the programming language you are using. There is always be a reference to GOOGLE_APPLICATION_CREDENTIALS. This is the location of the key file you are using.
I have a Google Cloud SQL server running MySQL that is used by low technical knowledge users to import csv's to a MySQL database. They use the Import function built into GC SQL. However, there are several databases and I would like to limit access to a database to each user.
Here is the menu that I refer to: https://i.imgur.com/LyX7Wbk.png
I already tried assigning a IAM Role with less access but everything excep SQL Admin greyes out the Import option. SQL Admin gives complete access to even delete the instance so its definitely not an option.
Any help would be greatly appreciated.
You can't. Indeed, IAM role allow you to control access to GCP component. Here, your requirements is to administrate user that access to specific database schema, which is the role of DBA.
The only solution is to build something on top of Google API for limiting/controlling access.
When viewieng the datastore page:
There was an error while loading /datastore/welcome?project=***********&folder=&organizationId=
Minimum permissions required for this page:
appengine.applications.create
datastore.locations.list
servicemanagement.services.bind
All permissions checked for the current project:
appengine.applications.create
datastore.locations.list
servicemanagement.services.bind
I have 'Editor' as well as 'Cloud Datastore Owner' permissions.
What else do I need?
Those roles should be enough to view the project's Cloud Datastore instance. However, a few things in your post indicate that you're trying to create a Datastore instance, and to do that, you'll also need the appengine.applications.create permission if your project doesn't have an App Engine app.
Cloud Datastore depends on App Engine. You don't have to use App Engine at all but you do need an active app to use Datastore.
You can have a project owner create the Datastore instance for you first, or you can ask them to give you the appengine.applications.create permission using a custom role.
I have enabled the XML API and allocated some Developer Keys for my own account using the Google Cloud Platform Console. All working well.
My question is: Is there any way to enable the XML API and get a Developer Key for a Service Account?
No, there isn't. However, if you're willing to complete a couple additional steps, you can do a full migration and use service accounts natively with minimal effort.