我在一个项目中有我的秘密,并想知道如何复制或将其转移到其他项目。
是否有机制能够顺利做到这一点。
我在一个项目中有我的秘密,并想知道如何复制或将其转移到其他项目。
是否有机制能够顺利做到这一点。
根据John Hanley的评论编辑
I just had to deal with something similar myself, and came up with a simple bash script that does what I need. I run Linux. there are some prerequisites:
gcloud config set project [SOURCE_PROJECT]
, and then running gcloud secrets list
)"secret_a" "secret_b" ...
之后,你可以运行:
$(gcloud config set project [SOURCE_PROJECT])
declare -a secret_array=("secret_a" "secret_b" ...)
for i in "${secret_array[@]}"
do
SECRET_NAME="${i}_env_file"
SECRET_VALUE=$(gcloud secrets versions access "latest" --secret=${SECRET_NAME})
echo $SECRET_VALUE > secret_migrate
$(gcloud secrets create ${SECRET_NAME} --project [TARGET_PROJECT] --data-file=secret_migrate)
done
rm secret_migrate
what this script does, is set the project to the source one, then get the secrets, and one by one save it to file, and upload it to the target project.
the file is rewritten for each secret and deleted at the end.
you need to replace the secrets array (secret_array
), and the project names ([SOURCE_PROJECT]
, [TARGET_PROJECT]
) with your own data.
我使用了以下版本,该版本也规定了不同的名称,并按秘密名称贴上标签:
$(gcloud config set project [SOURCE_PROJECT])
declare -a secret_array=("secret_a" "secret_b" ...)
for i in "${secret_array[@]}"
do
SECRET_NAME="${i}"
SECRET_VALUE=$(gcloud secrets versions access "latest" --secret=${SECRET_NAME})
echo $SECRET_VALUE > secret_migrate
$(gcloud secrets create ${SECRET_NAME} --project [TARGET_PROJECT] --data-file=secret_migrate --labels=environment=test,service="${i}")
done
rm secret_migrate
时至今日,没有任何办法让GCP在为你们的项目之间转移秘密。
它提出了你可以在此提出的良好特点要求:https://b.corp.google.com/issues/new?component=784854&pli=1&template=1380926
同样,我也刚刚面临同样的需要,因此,我所做的描述是复制所有版本和贴上秘密的标签。 如果某一秘密或某一具体版本已经退出,则该秘密或特定版本就会绕过。 可查阅Gite Hub Gist(https://gist.github.com/froblesmartin/0af7540d32dbe9e6ad97d896494c22)。 但我也在此抄录:
#!/bin/zsh
function transform_output_to_array() {
local output="$1"
local array=()
local skip_first=true
while IFS= read -r line; do
if ${skip_first}; then
skip_first=false
continue
fi
array+=("${line}")
done <<< "${output}"
echo "${array[@]}"
}
RED= 33[0;31m
NC= 33[0m
SOURCE_GCP_PROJECT="your-source-project"
TARGET_GCP_PROJECT="your-target-project"
SECRETS_OUTPUT=$(gcloud secrets list --project=${SOURCE_GCP_PROJECT} --format="csv(name)")
SECRETS_ARRAY=($(transform_output_to_array "${SECRETS_OUTPUT}"))
TEMPORARY_DIRECTORY=$(mktemp -d -p .)
echo "Generated temporary directory: [${TEMPORARY_DIRECTORY}]"
# Loop over the array
for SECRET_NAME in "${SECRETS_ARRAY[@]}"; do
echo
echo "Secret name [${SECRET_NAME}]"
SECRET_VERSIONS_OUTPUT=$(gcloud secrets versions list --project=${SOURCE_GCP_PROJECT} --format="csv(name)" -- ${SECRET_NAME})
SECRETS_VERSIONS_ARRAY=($(transform_output_to_array "${SECRET_VERSIONS_OUTPUT}"))
echo "Versions: [${SECRETS_VERSIONS_ARRAY[@]}"]
SECRET_LABELS=""
while read -r KEY VALUE; do
SECRET_LABELS+="${KEY}=${VALUE},"
done < <(gcloud secrets describe --format="json" -- ${SECRET_NAME} | jq -r .labels | to_entries | .[] | "(.key) (.value)" )
echo "Labels: [${SECRET_LABELS}]"
gcloud secrets create --project ${TARGET_GCP_PROJECT} --labels=${SECRET_LABELS} -- ${SECRET_NAME} ||
echo -e "${RED}Secret [${SECRET_NAME}] creation failed${NC}"
SECRETS_VERSIONS_ARRAY_LENGTH=${#SECRETS_VERSIONS_ARRAY[@]}
for ((i=${SECRETS_VERSIONS_ARRAY_LENGTH}-1; i>=0; i--)); do
echo "Processing version: ${SECRETS_VERSIONS_ARRAY[${i}]}"
gcloud secrets versions access ${SECRETS_VERSIONS_ARRAY[${i}]} --secret=${SECRET_NAME} --project=${SOURCE_GCP_PROJECT} > ${TEMPORARY_DIRECTORY}/${SECRET_NAME}_${SECRET_VERSION}
gcloud secrets versions access ${SECRETS_VERSIONS_ARRAY[${i}]} --secret=${SECRET_NAME} --project=${TARGET_GCP_PROJECT} >> /dev/null &&
{ echo -e "${RED}Version [${SECRETS_VERSIONS_ARRAY[${i}]}] already exists${NC}" && continue; }
gcloud secrets versions add --project ${TARGET_GCP_PROJECT} --data-file=${TEMPORARY_DIRECTORY}/${SECRET_NAME}_${SECRET_VERSION} -- ${SECRET_NAME}
done
done