search

opentrace-community / opentrace-cloud-functions

OpenTrace Cloud Functions. Reference implementation of the BlueTrace protocol.
https://bluetrace.io
GNU General Public License v3.0
273 stars 121 forks source link

Should succeed in getting encryption key #5

Closed tribet84 closed 4 years ago

tribet84 commented 4 years ago

All test passing except Encryption key retrieval:

keyPath: "OpenTraceESKey"

#encryption getEncryptionSecret: Getting encryption key: projects/XXX/secrets/OpenTraceESKey/versions/1 getEncryptionKeyTest Error: 7 PERMISSION_DENIED: Permission 'secretmanager.versions.access' denied for resource 'projects/XXX/secrets/OpenTraceESKey/versions/1' (or it may not exist). at Object.callErrorFromStatus (C:\src\opentrace-cloud-functions\functions\node_modules\@grpc\grpc-js\src\call.ts:79:24) at Http2CallStream.<anonymous> (C:\src\opentrace-cloud-functions\functions\node_modules\@grpc\grpc-js\src\client.ts:155:18) at Http2CallStream.emit (events.js:322:22) at C:\src\opentrace-cloud-functions\functions\node_modules\@grpc\grpc-js\src\call-stream.ts:186:14 at processTicksAndRejections (internal/process/task_queues.js:79:11) { code: 7, details: "Permission 'secretmanager.versions.access' denied for resource 'projects/XXX/secrets/OpenTraceESKey/versions/1' (or it may not exist).", metadata: Metadata { internalRepr: Map { 'grpc-server-stats-bin' => [Array] }, options: {} }, note: 'Exception occurred in retry method that was not classified as transient' }

Key is stored in Secret Manager and opentracees@appspot.gserviceaccount.com user has the access rights (in both IAM and Secret Manager).

majhamza commented 4 years ago

I am having the same problem too, and I checked the<project-id>@appspot.gserviceaccount.com account, and it does have Secret Manager Secret Accessor role + the Editor role.

tribet84 commented 4 years ago

Got it working. Try with user Firebase AdminSDK (firebase-adminsdk-<random5chars>@<project-id>.iam.gserviceaccount.com) instead.

qtangs commented 4 years ago

@tribet84, I'm not sure why (our setup uses the main appspot service account), but glad that you got it working.

majhamza commented 4 years ago

Got it working. Try with user Firebase AdminSDK (firebase-adminsdk-q2gvb@<project-id>.iam.gserviceaccount.com) instead.

Thanks a lot, this worked for me too

tribet84 commented 4 years ago

@qtangs My pleasure! Would you want me to create a PR to change the readme file?

qtangs commented 4 years ago

@tribet84 sure, please create one. Thanks.

tribet84 commented 4 years ago

@qtangs PR created #10 Still not 100% clear who should be granted permissions according to docs, that's why I added my comment as a note, keeping yours in.

bedilbek commented 4 years ago

Hi @tribet84. I deployed the project yesterday and it worked seamlessly fine. Actually if you give the correct roles Secret Manager Secret Accessor to the project-id@appspot.gserviceaccount.com user and create a .json key for that user, it should work without any problem.