-
Notifications
You must be signed in to change notification settings - Fork 1.2k
/
Add-KmsPermissions.ps1
81 lines (72 loc) · 3.06 KB
/
Add-KmsPermissions.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
# Copyright (c) 2018 Google LLC.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy of
# the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations under
# the License.
##############################
#.SYNOPSIS
# Updates permissions for KMS so that the service account can create KMS keys
# and encrypt and decrypt data.
#
#.PARAMETER ServiceAccountEmail
# The email address of the service account.
#
#.PARAMETER ProjectId
# The Google Cloud Project ID to add permissions to.
#
#.EXAMPLE
# .\Add-KmsPermissions.ps1. my-service-account@my-project.iam.gserviceaccount.com
##############################
Param (
[Parameter(Mandatory=$true)][string]$ServiceAccountEmail,
[string]$ProjectId
)
gcloud services enable cloudkms.googleapis.com
$email = if (-not $ServiceAccountEmail.Contains('@')) {
(gcloud iam service-accounts list --format=json "--filter=email:($ServiceAccountEmail@*)" `
| ConvertFrom-Json).email
} else {
$ServiceAccountEmail
}
$projectId = if ($ProjectId) {
$ProjectId
} else {
gcloud config get-value project
}
###############################################################################
# Permissions for App Engine to decrypt appsecrets.json.
$keyName = [string] (Get-Content ./appsecrets.json.keyname)
# Drop the last two segments of the path to get the key ring name.
$keyRingName = ($keyName.Split('/') | Select-Object -SkipLast 2) -join "/"
# Give App Engine permission to decrypt using keys in this keyring.
$role = 'roles/cloudkms.cryptoKeyDecrypter'
Write-Host "Adding role $role to $email for $keyRingName."
gcloud kms keyrings add-iam-policy-binding $keyRingName `
--member serviceAccount:$email --role $role
###############################################################################
# Permissions for App Engine to encrypt and decrypt secrets for
# KmsDataProtectionProvider.
# Check to see if the key ring already exists.
$keyRingId = 'dataprotectionprovider'
# Check to see if the key ring already exists.
$matchingKeyRing = (gcloud kms keyrings list --format json --location global --filter="name~.*/$keyRingId" | convertfrom-json).name
if (-not $matchingKeyRing) {
# Create the new key ring.
Write-Host "Creating new key ring $keyRingId..."
gcloud kms keyrings create $keyRingId --location global
}
$roles = @('roles/cloudkms.admin', 'roles/cloudkms.cryptoKeyEncrypterDecrypter')
foreach ($role in $roles) {
Write-Host "Adding role $role to $email for $keyRingId."
gcloud kms keyrings add-iam-policy-binding $keyRingId `
--project $projectId --location 'global' `
--member serviceAccount:$email --role $role
}