|
|
@@ -18,6 +18,7 @@ import os
|
|
|
|
|
|
# Workaround: `grpc` must be imported before `google.protobuf.json_format`,
|
|
|
# to prevent "Segmentation fault". Ref https://github.com/grpc/grpc/issues/24897
|
|
|
+from google.cloud import secretmanager_v1
|
|
|
# TODO(sergiitk): Remove after #24897 is solved
|
|
|
import grpc
|
|
|
from absl import flags
|
|
|
@@ -29,6 +30,11 @@ import googleapiclient.errors
|
|
|
import tenacity
|
|
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
+PRIVATE_API_KEY_SECRET_NAME = flags.DEFINE_string(
|
|
|
+ "private_api_key_secret_name",
|
|
|
+ default=None,
|
|
|
+ help="Load Private API access key from the latest version of the secret "
|
|
|
+ "with the given name, in the format projects/*/secrets/*")
|
|
|
V1_DISCOVERY_URI = flags.DEFINE_string("v1_discovery_uri",
|
|
|
default=discovery.V1_DISCOVERY_URI,
|
|
|
help="Override v1 Discovery URI")
|
|
|
@@ -51,17 +57,43 @@ class GcpApiManager:
|
|
|
v1_discovery_uri=None,
|
|
|
v2_discovery_uri=None,
|
|
|
compute_v1_discovery_file=None,
|
|
|
- private_api_key=None):
|
|
|
+ private_api_key_secret_name=None):
|
|
|
self.v1_discovery_uri = v1_discovery_uri or V1_DISCOVERY_URI.value
|
|
|
self.v2_discovery_uri = v2_discovery_uri or V2_DISCOVERY_URI.value
|
|
|
self.compute_v1_discovery_file = (compute_v1_discovery_file or
|
|
|
COMPUTE_V1_DISCOVERY_FILE.value)
|
|
|
- self.private_api_key = private_api_key or os.getenv('PRIVATE_API_KEY')
|
|
|
+ self.private_api_key_secret_name = (private_api_key_secret_name or
|
|
|
+ PRIVATE_API_KEY_SECRET_NAME.value)
|
|
|
self._exit_stack = contextlib.ExitStack()
|
|
|
|
|
|
def close(self):
|
|
|
self._exit_stack.close()
|
|
|
|
|
|
+ @property
|
|
|
+ @functools.lru_cache(None)
|
|
|
+ def private_api_key(self):
|
|
|
+ """
|
|
|
+ Private API key.
|
|
|
+
|
|
|
+ Return API key credential that identifies a GCP project allow-listed for
|
|
|
+ accessing private API discovery documents.
|
|
|
+ https://pantheon.corp.google.com/apis/credentials
|
|
|
+
|
|
|
+ This method lazy-loads the content of the key from the Secret Manager.
|
|
|
+ https://pantheon.corp.google.com/security/secret-manager
|
|
|
+ """
|
|
|
+ if not self.private_api_key_secret_name:
|
|
|
+ raise ValueError('private_api_key_secret_name must be set to '
|
|
|
+ 'access private_api_key.')
|
|
|
+
|
|
|
+ secrets_api = self.secrets('v1')
|
|
|
+ version_resource_path = secrets_api.secret_version_path(
|
|
|
+ **secrets_api.parse_secret_path(self.private_api_key_secret_name),
|
|
|
+ secret_version='latest')
|
|
|
+ secret: secretmanager_v1.AccessSecretVersionResponse
|
|
|
+ secret = secrets_api.access_secret_version(name=version_resource_path)
|
|
|
+ return secret.payload.data.decode()
|
|
|
+
|
|
|
@functools.lru_cache(None)
|
|
|
def compute(self, version):
|
|
|
api_name = 'compute'
|
|
|
@@ -93,6 +125,13 @@ class GcpApiManager:
|
|
|
|
|
|
raise NotImplementedError(f'Network Services {version} not supported')
|
|
|
|
|
|
+ @functools.lru_cache(None)
|
|
|
+ def secrets(self, version):
|
|
|
+ if version == 'v1':
|
|
|
+ return secretmanager_v1.SecretManagerServiceClient()
|
|
|
+
|
|
|
+ raise NotImplementedError(f'Secrets Manager {version} not supported')
|
|
|
+
|
|
|
def _build_from_discovery_v1(self, api_name, version):
|
|
|
api = discovery.build(api_name,
|
|
|
version,
|
Sergii Tkachenko