Providing keyFilename of Google Client Service Account from Google Cloud Storage

痞子三分冷 提交于 2021-02-19 08:15:29

问题


To connect to Google Cloud BigQuery that exists in a different GCP project from a Google Cloud Function, I am creating the BigQuery Client as follows:

const {BigQuery} = require('@google-cloud/bigquery');
const options = {
    keyFilename: 'path/to/service_account.json',
    projectId: 'my_project',
  };
const bigquery = new BigQuery(options);

But instead of storing the service_account.json in my Cloud Function, I want to store the Service Account in Google Cloud Storage and provide the Google Cloud Storage path in the keyFilename above. I couldn't find any documentation if it is possible to provide a google cloud storage path instead of a local path.


回答1:


You can not provide the Google Cloud Storage Path. Assuming you deployed your function with the right permissions to access the blob (key.json file) from your bucket, then you can download your file from Google Cloud Storage to \tmp directory of your Cloud Function.

Downloading objects

const {Storage} = require('@google-cloud/storage');
const {BigQuery} = require('@google-cloud/bigquery');

// Creates a client
const storage = new Storage();

async function downloadFile() {
  const options = {
    // The path to which the file should be downloaded, e.g. "./file.txt"
    destination: \tmp\key.json,
  };

  // Downloads the file
  await storage
    .bucket(bucketName)
    .file(srcFilename)
    .download(options);

  console.log(
    `gs://${bucketName}/${srcFilename} downloaded to ${destFilename}.`
  );
}

downloadFile().catch(console.error);

const options = {
    keyFilename: '/tmp/key.json',
    projectId: 'my_project',
  };

const bigquery = new BigQuery(options);



A better solution would be to store the key.json file with Google Secret Manager. Then assign to your cloud function the role secretmanager.secretAccessor and access the secret from you cloud function.

Creating secrets and versions

/**
 * TODO(developer): Uncomment these variables before running the sample.
 */
// const name = 'projects/my-project/secrets/my-secret/versions/5';
// const name = 'projects/my-project/secrets/my-secret/versions/latest';

// Imports the Secret Manager library
const {SecretManagerServiceClient} = require('@google-cloud/secret-manager');

// Instantiates a client
const client = new SecretManagerServiceClient();

async function accessSecretVersion() {
  const [version] = await client.accessSecretVersion({
    name: name,
  });

  // Extract the payload as a string.
  const payload = version.payload.data.toString('utf8');

  // WARNING: Do not print the secret in a production environment - this
  // snippet is showing how to access the secret material.
  console.info(`Payload: ${payload}`);
}

accessSecretVersion();



来源:https://stackoverflow.com/questions/59857651/providing-keyfilename-of-google-client-service-account-from-google-cloud-storage

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!