I have a shell script trying to download some secrets from secret manager inside dataproc cluster.
GetAuthJson() {
authjson=$(curl "https://secretmanager.googleapis.com/v1/projects/$PROJECT_ID/secrets/$AUTH_JSON/versions/1:access" \
--request "GET" \
--header "authorization: Bearer $(gcloud auth print-access-token)" \
--header "content-type: application/json")
if [ $? -ne 0 ]; then
Error "Unable to extract the $PIPENAME Auth json details from GCP Secret Manager"
fi
echo $authjson | grep -o '"data": "[^"]*' | grep -o '[^"]*$' >$BASE_DIR/encodedauth.json
if [ $? -ne 0 ]; then
Error "Unable to save the $PIPENAME auth.json server secret to auth.json"
fi
auth_json=$(base64 -d $BASE_DIR/encodedauth.json)
base64 -d $BASE_DIR/encodedauth.json >/etc/secrets/auth.json
if [ $? -ne 0 ]; then
Error "Unable to decode the $PIPENAME auth.json server secret"
fi
Log "auth.json secret extraction done"
}
when i run this curl it generates an error
authjson='{
"error": {
"code": 403,
"message": "Permission '\''secretmanager.versions.access'\'' denied for resource '\''projects/**-**-dev/secrets/**_AUTH_JSON/versions/1'\'' (or it may not exist).",
"status": "PERMISSION_DENIED"
}
}'
the same curl with same service account is working in local meachine. and more over if i copy the CURL from local and run it in dataproc cluster it works as well. But the curl generated from dataproc fails in local .
whats more weird is if i run gcloud auth print-access-token separately and paste it in curl command it works in both meachine.
so my question is why gcloud auth print-access-token generated as part of curl in dataproc cluster is not working ?
CodePudding user response:
It would be useful if you could capture the value of the curl
command or, at least the value of gcloud auth print-access-token
that's failing in the script.
I suspect (I'm unfamiliar with Dataproc) that the Dataproc instance does not have gcloud
installed and the gcloud auth print-access-token
is failing.
If the instance does have gcloud
installed, since it's running then it must have a Service Account and so should permit authenticating. There may (!?) be a more nuanced issue with getting an access token as a Dataproc instance, unclear.
Please consider using either gcloud secrets versions access
directly or one of Google's client libraries to access the secret.
You're making the process more complex than it need be by curl
'ing the endpoint; you're having to use gcloud
anyway to get the auth token.
CodePudding user response:
The issue was i ran the script as sudo user. When i ran normally it worked.