I'm using pymongo (from airflow hook) to connect to a mongo instance which implements FLE (Field Level Encryption) using google kms for the keys. We have a VM which has a service account file and this is how we configured it
hook = MongoHook(self.source_conn_id)
creds = json.load(open(self.gcs_service_account_keypath))
kms_providers = {
"gcp": {
"email": creds['client_email'],
"privateKey": creds['private_key'].replace(
'-----BEGIN PRIVATE KEY-----\n', '').replace(
'\n-----END PRIVATE KEY-----\n', '')
}
}
auto_encryption_opts = AutoEncryptionOpts(
kms_providers, key_vault_namespace=self.mongo_key_vault_namespace, bypass_auto_encryption=True)
hook.extras = {'auto_encryption_opts': auto_encryption_opts }
Now I'm trying to do the same in Cloud Composer but I can't find how to access the private key from the default service account in cloud composer. I could export the service account key, add it to secret manager and access it like that but it doesn't seem very good idea.
Any ideas how I can access it?
There are three types of service account private keys. Google managed, user managed and user supplied (imported).
You cannot directly access the private key from a compute service as the metadata server does not provide access to private keys - only tokens created from private keys.
The standard recommendation is to use the IAM APIs to sign blobs/JWTs.
Your other option is to use user managed where you download the service account JSON key file and provide that file to your application or load as a secret from Secret Manager or a similar service.
You can generate a service account key following these steps. Instead of using secret manager, you can put the private key in the GCS bucket associated to your environment and put it in your data folder: gs://bucket-name/data to make it accessible. For more information of utilization of Cloud storage bucket associated to your Cloud composer environment, you can refer to this documentation.
Related
When I try to generate a new private key to use the Firebase Admin SDK I get the error:
Failed to generate a private key. Please try again in a few minutes.
The error persists now for a while already. I never created a private key for this project so far.
My service account has the following roles (translated to english):
Cloud Functions Admin
Service account token creator
Firebase Admin SDK administrator service agent
Firebase Authentication Administrator
Anyone any idea?
Thanks!
Meanwhile I found out why I got this error or at least how to fix it:
I added Storage Admin as a role to my service account and I was able to generate a new key.
I want to generate a new private key from firebase to use the database APIs that firebase provides. When I click on get new private key to download the private key, I get this message:
Failed to generate a private key. Please try again in a few minutes.
How should I proceed to get the new private key now?
Why is this happening, Do I have the permissions to download the new private key?
(I am a viewer to the firebase project)
if you create so many service account keys in the past
delete them.
Go to https://console.cloud.google.com/iam-admin/serviceaccounts
click the firebase-adminsdk-[some string]#[project name].iam.gserviceaccount.com
Click keys
delete all old keys
you should be able to create new keys now
VIewer does not have the permission iam.serviceAccountKeys.create which is required to create service account keys.
You must add a role to your identity that contains that permission such as roles/iam.serviceAccountKeyAdmin
Service Account Roles
Project Viewers don’t have the access to manage the Service Account
Private keys. This is the reason you got that message when you tried
to create a private key. As mentioned in this documentation, you
should have the Service Account Key Admin role
(roles/iam.serviceAccountKeyAdmin) to manage the Service Account
keys.
The Service Account Key Admin role alone is sufficient to create a
Private Key. But without the Project Viewer Role you won’t be able to
view the page to create a Private Key from the Firebase Console. So
please ask the Project Owner or someone who has the access to grant
IAM Roles on the Project to grant you the Service Account Key Admin
role in addition to the Project Viewer role.
If your Chrome browser has an update pending, Firebase throws this message. Update your Chrome and retry, it should work.
When I create a Firebase service account for the admin SDK, I retrieve credentials that include the service account name and private key to authenticate.
I'm managing the private key as a "secret" environment variable in my build tool, i.e. it won't be exposed to other users of the build tool.
Is it advised to also maintain the service account name as a secret or is it safe to expose it to other developers? I'm kind of comparing it to accessing an email account, where the email address is publicly known (compare: account name), but the password to the account stays secret (compare: private key), but I may be wrong here.
No, there is no need to worry about that name of the service account that you use. It's just the key that is used to help you identify the credentials, and has no meaning in securing those credentials.
If someone would be able to retrieve your full credentials based on the service account name, I'd say the problem is much bigger than just those credentials.
We are transitioning to using Terraform to create our architecture on Google Compute, and part of it utilises Firebase for the front-end. So far, I have managed to get this all working fine, but have hit a snag on Firebase Auth. Essentially, I want to allow 'Email/Password' authentication on a Firbase project programmatically.
The above shows where you find the setting in the UI console, but I want to be able to do that via an API/CLI, and also set the 'Authorised Domain'.
Yes, as of November 2022, this is now possible, either using Terraform, or the gcloud CLI and a bit of scripting. Both methods make use of the REST Identity Toolkit API.
If using Terraform: Your config file needs to specify a google_identity_platform_project_default_config resource: the documentation for it is available here. By way of example – assuming you've already declared a google_project resource called my_project, you could add the google_identity_platform_project_default_config resource as follows:
resource "google_identity_platform_project_default_config" "myconfig" {
project = google_project.myproject.project_id
sign_in {
allow_duplicate_emails = false
anonymous {
enabled = false
}
email {
enabled = true
password_required = false
}
}
}
This would enable email+password authentication, disallow anonymous access, and disallow duplicate email addresses.
If using the gcloud CLI: This would be a good deal fiddlier. I haven't tested it out completely, but it is presumably equivalent to what Terraform is doing behind the scenes. You need to obtain a service account access token, then use cURL (or a similar tool/API) to amend the Identity Toolkit configuration using the PATCH method (documentation here), supplying the token in the "Authorization" header.
gcloud lets you get an access token using the command gcloud auth print-access-token, but according to this 2021 blog post1 by #DazWilkin, the token obtained using your regular human credentials can't perform the necessary PATCH operation; you need to use a token backed by a service account that has the correct permissions.
The blog post gives further details, but roughly, the steps are:
Create a service account and give it the correct permissions. (Not necessary if you already have an appropriate service account; such an account can be created either using the Firebase console or Terraform's google_service_account resource.)
Create a JSON service account key file. (Not necessary if you already have a key created, plus a JSON file for it. These JSON files contain an object with the keys "project_id", "private_key_id", and "private_key", and are exactly the same sort of file as gets generated from the Firebase console if you go to "Project Overview" / "Project Settings" / "Service Accounts" / "Generate new private key". They can also be created programmatically using Terraform's google_service_account_key resource.)
Allow gcloud to perform operations using the service account's permissions, by running gcloud's "auth activate-service-account" subcommand: something like
$ gcloud auth activate-service-account --key-file=/path/to/key-file.json EMAIL_ADDRESS_OF_SERVICE_ACCOUNT
Obtain an access token for the service account by running gcloud auth print-access-token EMAIL_ADDRESS_OF_SERVICE_ACCOUNT.
Supply that token in the header of an HTTP PATCH request using cURL.
For more details, see the blog post; it's concerned with amending the "authorized domains" list for a Firebase project, but enabling email/password authentication would be very similar.
1 Also mentioned in this stackoverflow answer.
I'm minting custom tokens using the node admin SDK within a cloud function. As I'm using firebase cloud functions, the default service account is discovered automatically in the managed environment.
Due to this, I'm able to sign custom tokens using the default service account. However I'm not able to verify these tokens, as the admin SDK only allows us to verify ID tokens and not custom tokens.
Is there any way that I can get access to the private key in the default service account via the admin SDK so that I can use a 3rd part library to verify them