In [3]:
import json
import logging

import dateutil
import requests
import pandas as pd
import base64
import boto3

from google.oauth2 import service_account


from botocore.config import Config
from botocore.exceptions import ClientError

In [4]:
def get_secret(secret_name, region_name="eu-west-1"):
    # Create a Secrets Manager client
    session = boto3.session.Session()
    client = session.client(service_name="secretsmanager", region_name=region_name)

    # In this sample we only handle the specific exceptions for the 'GetSecretValue' API.
    # See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
    # We rethrow the exception by default.

    try:
        get_secret_value_response = client.get_secret_value(SecretId=secret_name)
    except ClientError as e:
        if e.response["Error"]["Code"] == "DecryptionFailureException":
            # Secrets Manager can't decrypt the protected secret text using the provided KMS key.
            # Deal with the exception here, and/or rethrow at your discretion.
            raise e
        elif e.response["Error"]["Code"] == "InternalServiceErrorException":
            # An error occurred on the server side.
            # Deal with the exception here, and/or rethrow at your discretion.
            raise e
        elif e.response["Error"]["Code"] == "InvalidParameterException":
            # You provided an invalid value for a parameter.
            # Deal with the exception here, and/or rethrow at your discretion.
            raise e
        elif e.response["Error"]["Code"] == "InvalidRequestException":
            # You provided a parameter value that is not valid for the current state of the resource.
            # Deal with the exception here, and/or rethrow at your discretion.
            raise e
        elif e.response["Error"]["Code"] == "ResourceNotFoundException":
            # We can't find the resource that you asked for.
            # Deal with the exception here, and/or rethrow at your discretion.
            raise e
    else:
        # Decrypts secret using the associated KMS key.
        # Depending on whether the secret is a string or binary, one of these fields will be populated.
        if "SecretString" in get_secret_value_response:
            return get_secret_value_response["SecretString"]
        else:
            return base64.b64decode(get_secret_value_response["SecretBinary"])

In [5]:
def get_credentials(gcp_creds_secret_name):
    try:
        gcp_creds_str = get_secret(secret_name=gcp_creds_secret_name)
    except Exception as e:
        raise Exception("Could not connect to aws secret manager: " + str(e)) from e

    try:
        gcp_creds_json = json.loads(gcp_creds_str)
        gcp_creds = service_account.Credentials.from_service_account_info(
            gcp_creds_json
        )
        return gcp_creds
    except Exception as e:
        raise Exception("Could not connect to google cloud bigquery: " + str(e)) from e

In [6]:
secret_name = "dev/airflow/gcp-service-account"

credentials = get_credentials(secret_name)

In [7]:
credentials

<google.oauth2.service_account.Credentials at 0x104239010>

In [8]:
get_secret(secret_name)

'{"auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs","auth_uri":"https://accounts.google.com/o/oauth2/auth","client_email":"dbt-dev@heroes-analytics-dev.iam.gserviceaccount.com","client_id":"103895879708815755648","client_x509_cert_url":"https://www.googleapis.com/robot/v1/metadata/x509/dbt-dev%40heroes-analytics-dev.iam.gserviceaccount.com","private_key":"-----BEGIN PRIVATE KEY-----\\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC6Xc//9yeUMrBz\\nkwerMQPlqtjdqrwAEwUlYBqjXqhcVaENl0r45jcrV2s7LLC9e8IT7TQfQtVxCSP4\\nspNSvgEmFxbCUxFnLX7QyujC2AI9X3BK4oMsWyKJEubT6ImKroyZzGVk46kNSjNQ\\nDkwIZFFBSqFFUjmIaAoQBwwYACq95HOzVDVd+INgBCmb1AmT3QJIvPMV5KHOh4vS\\ncP7ZoC+cPn24kwzJ8epHD5wN09fHV4pCTTfWlKwXlSzsi6nmDR3gdWC7H6CQ5HY3\\nOr+ELK26jhSEuM2ofuf2iFHRyNN/ZZur+n6OFpm541XuicQwgvP/Hwp4GDDKDlVy\\nYPbJPOhrAgMBAAECggEAGXCn7ZmH9MIh9czleELQdN/9tZinttzh0B3Of8GdUD68\\n0EBNqCyzmD4uhvKNTSML4Ft6HiWp7EG4ACwkUeBaWMrrEkDI+Iwsf6+ggW8qMxrd\\nlyNU46UB0bNbq3lWmTCa7yhd051Y3NW7ARvKg5S/cMm8D7HvOkX

In [11]:
gcp_creds_json = json.loads(get_secret(secret_name))
gcp_creds = service_account.Credentials.from_service_account_info(gcp_creds_json)
gcp_creds

<google.oauth2.service_account.Credentials at 0x16b0dfc50>