搜索
搜索

如何从Kubernetes Engine访问Google KMS?

debugcn 发表于 Dev
17
莫拉修

我必须将.Net Core应用程序从Google App Engine移至Google Kubernetes Engine,因为我需要静态IP,可惜Google App Engine没有该选项。

我设法制作了一个群集和一些吊舱,但是在日志中看到:

Unhandled exception. Grpc.Core.RpcException: Status(StatusCode=PermissionDenied, Detail="Request had insufficient authentication scopes.")
   at Grpc.Core.Internal.AsyncCall`2.UnaryCall(TRequest msg)
   at Grpc.Core.Calls.BlockingUnaryCall[TRequest,TResponse](CallInvocationDetails`2 call, TRequest req)
   at Grpc.Core.DefaultCallInvoker.BlockingUnaryCall[TRequest,TResponse](Method`2 method, String host, CallOptions options, TRequest request)
   at Grpc.Core.Interceptors.InterceptingCallInvoker.<BlockingUnaryCall>b__3_0[TRequest,TResponse](TRequest req, ClientInterceptorContext`2 ctx)
   at Grpc.Core.ClientBase.ClientBaseConfiguration.ClientBaseConfigurationInterceptor.BlockingUnaryCall[TRequest,TResponse](TRequest request, ClientInterceptorContext`2 context, BlockingUnaryCallContinuation`2 continuation)
   at Grpc.Core.Interceptors.InterceptingCallInvoker.BlockingUnaryCall[TRequest,TResponse](Method`2 method, String host, CallOptions options, TRequest request)
   at Google.Cloud.Kms.V1.KeyManagementService.KeyManagementServiceClient.Decrypt(DecryptRequest request, CallOptions options)
   at Google.Api.Gax.Grpc.ApiCall.GrpcCallAdapter`2.CallSync(TRequest request, CallSettings callSettings)
   at Google.Api.Gax.Grpc.ApiCallRetryExtensions.<>c__DisplayClass1_0`2.<WithRetry>b__0(TRequest request, CallSettings callSettings)
   at Google.Api.Gax.Grpc.ApiCall`2.<>c__DisplayClass10_0.<WithCallSettingsOverlay>b__1(TRequest req, CallSettings cs)
   at Google.Api.Gax.Grpc.ApiCall`2.Sync(TRequest request, CallSettings perCallCallSettings)
   at Google.Cloud.Kms.V1.KeyManagementServiceClientImpl.Decrypt(DecryptRequest request, CallSettings callSettings)
   at Google.Cloud.Kms.V1.KeyManagementServiceClient.Decrypt(CryptoKeyName name, ByteString ciphertext, CallSettings callSettings)
   at Neo.Services.Kms.EncryptedFileInfo.CreateReadStream() in /app/Services/Kms/EncryptedFileInfo.cs:line 81
   at Microsoft.Extensions.Configuration.FileConfigurationProvider.Load(Boolean reload)
   at Microsoft.Extensions.Configuration.FileConfigurationProvider.Load()
   at Microsoft.Extensions.Configuration.ConfigurationRoot..ctor(IList`1 providers)
   at Microsoft.Extensions.Configuration.ConfigurationBuilder.Build()
   at Neo.Services.Config.ConfigurationProvider.get_AppConfig() in /app/Services/Config/ConfigurationProvider.cs:line 27
   at Neo.Startup.LogAppChecks() in /app/Startup.cs:line 197
   at Neo.Startup.Run() in /app/Startup.cs:line 24
   at Neo.Program.Main() in /app/Program.cs:line 5

我设法找到了这个问题,因为我无法appsettings.json在Kubernetes中解密我的文件。它在Google App Engine中工作。

我的猜测是,因为GAE已默认设置了GOOGLE_APPLICATION_CREDENTIALS环境变量。

我找到那篇文章,但看起来它描述的是不同的东西。

如何从Kubernetes Engine访问Google KMS?

@更新

我的节点池的输出描述:

config:
  diskSizeGb: 100
  diskType: pd-standard
  imageType: COS
  machineType: n1-standard-1
  metadata:
    disable-legacy-endpoints: 'true'
  oauthScopes:
  - https://www.googleapis.com/auth/devstorage.read_only
  - https://www.googleapis.com/auth/logging.write
  - https://www.googleapis.com/auth/monitoring
  - https://www.googleapis.com/auth/service.management.readonly
  - https://www.googleapis.com/auth/servicecontrol
  - https://www.googleapis.com/auth/trace.append
  serviceAccount: default

我已经使用此命令将范围添加到新的节点池中

gcloud container node-pools create your-pool-name --zone europe-west1-b --cluster 
your-cluster-name --num-nodes 1 --scopes default,bigquery,cloud-platform,compute-rw,datastore,storage-full,taskqueue,userinfo-email,sql-admin

现在我得到:

Unhandled exception. Grpc.Core.RpcException: Status(StatusCode=PermissionDenied, Detail="Permission 'cloudkms.cryptoKeyVersions.useToDecrypt' denied on resource 'projects/project-name/locations/global/keyRings/webapp/cryptoKeys/appsecrets' (or it may not exist).")
   at Grpc.Core.Internal.AsyncCall`2.UnaryCall(TRequest msg)
   at Grpc.Core.Calls.BlockingUnaryCall[TRequest,TResponse](CallInvocationDetails`2 call, TRequest req)
   at Grpc.Core.DefaultCallInvoker.BlockingUnaryCall[TRequest,TResponse](Method`2 method, String host, CallOptions options, TRequest request)
   at Grpc.Core.Interceptors.InterceptingCallInvoker.<BlockingUnaryCall>b__3_0[TRequest,TResponse](TRequest req, ClientInterceptorContext`2 ctx)
   at Grpc.Core.ClientBase.ClientBaseConfiguration.ClientBaseConfigurationInterceptor.BlockingUnaryCall[TRequest,TResponse](TRequest request, ClientInterceptorContext`2 context, BlockingUnaryCallContinuation`2 continuation)
   at Grpc.Core.Interceptors.InterceptingCallInvoker.BlockingUnaryCall[TRequest,TResponse](Method`2 method, String host, CallOptions options, TRequest request)
   at Google.Cloud.Kms.V1.KeyManagementService.KeyManagementServiceClient.Decrypt(DecryptRequest request, CallOptions options)
   at Google.Api.Gax.Grpc.ApiCall.GrpcCallAdapter`2.CallSync(TRequest request, CallSettings callSettings)
   at Google.Api.Gax.Grpc.ApiCallRetryExtensions.<>c__DisplayClass1_0`2.<WithRetry>b__0(TRequest request, CallSettings callSettings)
   at Google.Api.Gax.Grpc.ApiCall`2.<>c__DisplayClass10_0.<WithCallSettingsOverlay>b__1(TRequest req, CallSettings cs)
   at Google.Api.Gax.Grpc.ApiCall`2.Sync(TRequest request, CallSettings perCallCallSettings)
   at Google.Cloud.Kms.V1.KeyManagementServiceClientImpl.Decrypt(DecryptRequest request, CallSettings callSettings)
   at Google.Cloud.Kms.V1.KeyManagementServiceClient.Decrypt(CryptoKeyName name, ByteString ciphertext, CallSettings callSettings)
   at Neo.Services.Kms.EncryptedFileInfo.CreateReadStream() in /app/Services/Kms/EncryptedFileInfo.cs:line 81
   at Microsoft.Extensions.Configuration.FileConfigurationProvider.Load(Boolean reload)
   at Microsoft.Extensions.Configuration.FileConfigurationProvider.Load()
   at Microsoft.Extensions.Configuration.ConfigurationRoot..ctor(IList`1 providers)
   at Microsoft.Extensions.Configuration.ConfigurationBuilder.Build()
   at Neo.Services.Config.ConfigurationProvider.get_AppConfig() in /app/Services/Config/ConfigurationProvider.cs:line 27
   at Neo.Startup.LogAppChecks() in /app/Startup.cs:line 197
   at Neo.Startup.Run() in /app/Startup.cs:line 24
   at Neo.Program.Main() in /app/Program.cs:line 5

在我将Google KMS Decypt / Encrypt角色添加到服务帐户后,它可以工作了!

谢谢@sethvargo

现在工作

马丁·齐特勒

错误消息显示为:

请求的身份验证范围不足

因此,需要https://www.googleapis.com/auth/cloud-platform添加范围

服务帐户需要IAM角色roles/cloudkms.cryptoKeyEncrypterDecrypter

本文收集自互联网,转载请注明来源。

如有侵权,请联系[email protected] 删除。

编辑于
0

我来说两句

0条评论
登录后参与评论

相关文章

来自分类Dev

如何使用Google Cloud KMS创建CSR?

来自分类Dev

在Google Container Engine上访问Kubernetes API

来自分类Dev

如何从Google App Engine访问CSV数据?

来自分类Dev

AWS KMS如何使用解密功能Java

来自分类Dev

如何使用KMS正确加密Elasticsearch实例

来自分类Dev

如何在kubernetes机密中存储/检索KMS加密的.enc文件

来自分类Dev

如何访问Kubernetes部署

来自分类Dev

ECS容器无法使用AWS KMS密钥,因为访问被拒绝

来自分类Dev

如何使用python删除GKE(Google Kubernetes Engine)集群?

来自分类Dev

如何在Google Container Engine上的Kubernetes后面运行traefik?

来自分类Dev

使用Google Cloud KMS的Python中的相互TLS

来自分类Dev

如何在AWS KMS中存储自定义密钥

来自分类Dev

如何在AWS KMS中获取用于加密的密钥

来自分类Dev

如何在本地Google App Engine的非默认模块上访问Google Cloud Endpoints?

来自分类Dev

如何限制对Kubernetes服务的访问?

来自分类Dev

如何从Kubernetes访问Spark Shell?

来自分类Dev

如何从 Internet 访问 Kubernetes 服务?

来自分类Dev

Kubernetes:如何在Google Kubernetes Engine(gke)中为kube-controller-manager添加标志

来自分类Dev

如何将 Docker Desktop Kubernetes 集群迁移到 Google Kubernetes Engine

来自分类Dev

Google Kubernetes Engine入口注释

来自分类Dev

如何使用Google App Engine从Android设备访问本地主机?

来自分类Dev

如何从Google Container Engine访问HTTP请求的客户端IP?

来自分类Dev

如何在本地开发环境中通过App Engine访问Google Cloud Storage?

来自分类Dev

如何在Jinja2模板中访问引用对象的属性(Google App Engine)

来自分类Dev

如何在 Google Compute Engine 上访问 Jolokia 服务器

来自分类Dev

Kubernetes Engine(GCP),如何更改参数?

来自分类Dev

我如何通过ClusterIP访问Kubernetes服务

来自分类Dev

如何使用 Kubernetes 代理访问 SonarQube?

来自分类Dev

如何为 Kubernetes 创建受限访问令牌

Related 相关文章

  1. 1

    如何使用Google Cloud KMS创建CSR?

  2. 2

    在Google Container Engine上访问Kubernetes API

  3. 3

    如何从Google App Engine访问CSV数据?

  4. 4

    AWS KMS如何使用解密功能Java

  5. 5

    如何使用KMS正确加密Elasticsearch实例

  6. 6

    如何在kubernetes机密中存储/检索KMS加密的.enc文件

  7. 7

    如何访问Kubernetes部署

  8. 8

    ECS容器无法使用AWS KMS密钥,因为访问被拒绝

  9. 9

    如何使用python删除GKE(Google Kubernetes Engine)集群?

  10. 10

    如何在Google Container Engine上的Kubernetes后面运行traefik?

  11. 11

    使用Google Cloud KMS的Python中的相互TLS

  12. 12

    如何在AWS KMS中存储自定义密钥

  13. 13

    如何在AWS KMS中获取用于加密的密钥

  14. 14

    如何在本地Google App Engine的非默认模块上访问Google Cloud Endpoints?

  15. 15

    如何限制对Kubernetes服务的访问?

  16. 16

    如何从Kubernetes访问Spark Shell?

  17. 17

    如何从 Internet 访问 Kubernetes 服务?

  18. 18

    Kubernetes:如何在Google Kubernetes Engine(gke)中为kube-controller-manager添加标志

  19. 19

    如何将 Docker Desktop Kubernetes 集群迁移到 Google Kubernetes Engine

  20. 20

    Google Kubernetes Engine入口注释

  21. 21

    如何使用Google App Engine从Android设备访问本地主机?

  22. 22

    如何从Google Container Engine访问HTTP请求的客户端IP?

  23. 23

    如何在本地开发环境中通过App Engine访问Google Cloud Storage?

  24. 24

    如何在Jinja2模板中访问引用对象的属性(Google App Engine)

  25. 25

    如何在 Google Compute Engine 上访问 Jolokia 服务器

  26. 26

    Kubernetes Engine(GCP),如何更改参数?

  27. 27

    我如何通过ClusterIP访问Kubernetes服务

  28. 28

    如何使用 Kubernetes 代理访问 SonarQube?

  29. 29

    如何为 Kubernetes 创建受限访问令牌

热门标签

归档