chadwhitacre
commented
1 year ago Do I have the GCP access I need?
Closed chadwhitacre closed 1 year ago
chadwhitacre
commented
1 year ago Do I have the GCP access I need?
chadwhitacre
commented
1 year ago I think I do. I can see a key ring called service-credentials with a key called cloudbuild. That seems to match what I find in the cloudbuild.yml:
- kmsKeyName: projects/sentryio/locations/global/keyRings/service-credentials/cryptoKeys/cloudbuildLooking at IAM, I also have "Secret Manager Admin," so I should be good? 🤞
chadwhitacre
commented
1 year ago I guess what's throwing me off is that the only two secrets I see in Secret Manager are named github-app-[fooid], I expect to see something like docker-password in there. 🤔
chadwhitacre
commented
1 year ago I mean I guess I don't necessarily need to care about where DOCKER_PASSWORD is coming from if I can get SELF_HOSTED_E2E_PAT to work. ¯\_(ツ)_/¯
chadwhitacre
commented
1 year ago Okay I created a new secret and now I'm looking at this step:
Grant the Secret Manager Secret Accessor (roles/secretmanager.secretAccessor) IAM role for the secret to the Cloud Build service account:
But I really don't understand why it doesn't already have this role in order for the docker password to work. 🤔
I guess the question of whether I'm in the right environment (project) boils down to, is this where Cloud Build is demonstrably running CI for sentry, relay, and snuba?
chadwhitacre
commented
1 year ago projects/sentryio is in kmsKeyName.
chadwhitacre
commented
1 year ago Yeah okay and I see everything in Cloud Build—I've been here plenty of times, just double-checking. 😅
chadwhitacre
commented
1 year ago The service account is already a principle for the secret.
chadwhitacre
commented
1 year ago Looking at encryption next.
chadwhitacre
commented
1 year ago Now that you have a key, you can use that key to encrypt text or binary content.
https://cloud.google.com/kms/docs/create-encryption-keys#encrypt_data
chadwhitacre
commented
1 year ago Looks like I have gcloud already installed. :phew:
chadwhitacre
commented
1 year ago #!/usr/bin/env zsh
gcloud kms encrypt \
--location "global" \
--project "sentryio" \
--keyring "service-credentials" \
--key "cloudbuild" \
--plaintext-file pat \
--ciphertext-file pat.enc$ ./encrypt
API [cloudkms.googleapis.com] not enabled on project [301117755169]. Would you like to enable and retry (this
will take a few minutes)? (y/N)? n
ERROR: (gcloud.kms.encrypt) PERMISSION_DENIED: Cloud Key Management Service (KMS) API has not been used in project 301117755169 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudkms.googleapis.com/overview?project=301117755169 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
- '@type': type.googleapis.com/google.rpc.Help
links:
- description: Google developers console API activation
url: https://console.developers.google.com/apis/api/cloudkms.googleapis.com/overview?project=301117755169
- '@type': type.googleapis.com/google.rpc.ErrorInfo
domain: googleapis.com
metadata:
consumer: projects/301117755169
service: cloudkms.googleapis.com
reason: SERVICE_DISABLED
$That's not the project number of the sentryio project. 🤔
chadwhitacre
commented
1 year ago https://console.cloud.google.com/iam-admin/settings?project=301117755169
resolves to
https://console.cloud.google.com/iam-admin/settings?project=self-hosted-lol
Must be something in local config for gcloud ...
chadwhitacre
commented
1 year ago Ah, leftover from hackweek trailcam project. ☺️
chadwhitacre
commented
1 year ago $ gcloud config set project sentryio
Updated property [core/project].
$#!/usr/bin/env zsh
gcloud kms encrypt \
--project "sentryio" \
--location "global" \
--keyring "service-credentials" \
--key "cloudbuild" \
--plaintext-file pat \
--ciphertext-file pat.enc$ ./encrypt
ERROR: (gcloud.kms.encrypt) PERMISSION_DENIED: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource 'projects/sentryio/locations/global/keyRings/service-credentials/cryptoKeys/cloudbuild' (or it may not exist).
$I have a vague memory of having to do this with the service account before, maaaaaaaybe for the docker thing though I think that was just before my time?
chadwhitacre
commented
1 year ago chadwhitacre
commented
1 year ago $ gcloud iam service-accounts keys create key.json --iam-account=sentryio@appspot.gserviceaccount.com
created key [deadbeef] of type [json] as [key.json] for [sentryio@appspot.gserviceaccount.com]
$💃
This account has the needed permission.
chadwhitacre
commented
1 year ago #!/usr/bin/env zsh
set -e
gcloud config set account chadwhitacre@sentry.io
gcloud config set project sentryio
account="sentryio@appspot.gserviceaccount.com"
account="345757944225@cloudbuild.gserviceaccount.com"
gcloud iam service-accounts keys create key.json --iam-account $account
gcloud auth activate-service-account $account --key-file key.json
gcloud kms encrypt \
--location global \
--keyring service-credentials \
--key cloudbuild \
--plaintext-file pat \
--ciphertext-file pat.enc$ ./encrypt
Updated property [core/project].
created key [foobar] of type [json] as [key.json] for [sentryio@appspot.gserviceaccount.com]
Activated service account credentials for: [sentryio@appspot.gserviceaccount.com]
ERROR: (gcloud.kms.encrypt) PERMISSION_DENIED: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource 'projects/sentryio/locations/global/keyRings/service-credentials/cryptoKeys/cloudbuild' (or it may not exist).
$This account appears to have "Cloud KMS CryptoKey Decrypter" for the cloudbuild key, so I'm not sure what's up. With the other account I make it even less far:
$ ./encrypt
Updated property [core/account].
Updated property [core/project].
ERROR: (gcloud.iam.service-accounts.keys.create) NOT_FOUND: Unknown service account
$
For https://github.com/getsentry/self-hosted/issues/1756.
From https://getsentry.atlassian.net/servicedesk/customer/portal/4/ISD-3978:
I have the bot access I need.
To Do
cloudbuild.yml: