* Switch to google.auth.default for auth (#1)

* Allow project to be specified in tag
yashmehrotra · Feb 2, 2021 · edfb9e3 · edfb9e3
1 parent 54af3e0
commit edfb9e3
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 14 deletions.
diff --git a/README.md b/README.md
@@ -1,21 +1,30 @@
 # jinja2-gcp-secret-manager
+
 Jinja2 extension for fetching secrets GCP Secret Manager
 
-# Install
+## Install
 
-```console
+```sh
 pip install jinja2-gcp-secret-manager
 ```
 
 ## Usage
 
-```
+```jinja2
 # template.j2
 Secret is {% gcp_secret "secret-name" %}
 
 
 # By default, the latest version is fetched, for specific version use:
 2nd version of secret is {% gcp_secret "secret-name" version=2 %}
+
+# If you are using Application default credentials or want to explicitly specify
+the project where the secrets should be found, add the `project` term:
+3rd version of secret is {% gcp_secret "secret-name" version=2 project="abc123" %}
 ```
 
-Note: Make sure `GOOGLE_APPLICATION_CREDENTIALS` environment variable is set to the correct file path.
+## GCP Setup
+
+For this to work, make sure you either setup the `GOOGLE_APPLICATION_CREDENTIALS` environment variable set to the correct file path or use Application default credentials.  See [https://google-auth.readthedocs.io/en/latest/user-guide.html](https://google-auth.readthedocs.io/en/latest/user-guide.html) for more details.
+
+Note: If you use Application default credentials, you will need to specify project in all `gcp_secret` tags as default project cannot be determined as it can with a service account.
diff --git a/jinja2-gcp-secret-manager/__init__.py b/jinja2-gcp-secret-manager/__init__.py
@@ -7,14 +7,11 @@
 
 from jinja2 import nodes
 from jinja2.ext import Extension
+import google.auth
 from google.cloud import secretmanager
 
-if not (credentials := os.getenv('GOOGLE_APPLICATION_CREDENTIALS')):
-    raise Exception(
-        'Need to set environment variable GOOGLE_APPLICATION_CREDENTIALS')
-
+credentials, PROJECT_ID = google.auth.default()
 CLIENT = secretmanager.SecretManagerServiceClient()
-PROJECT_ID = json.load(open(credentials))['project_id']
 
 
 class GoogleSecretManager(Extension):
@@ -27,16 +24,25 @@ def parse(self, parser):
 
         parser.stream.skip_if('comma')
         version = nodes.Const('latest')
+        project = PROJECT_ID
         if parser.stream.skip_if('name:version'):
             parser.stream.skip(1)
             version = parser.parse_expression()
 
-        args = (name, version)
+        if parser.stream.skip_if('name:project'):
+            parser.stream.skip(1)
+            project = parser.parse_expression()
+
+        if not project:
+            parser.fail("project not specified", lineno=lineno)
+
+        args = (name, version, project)
 
-        return nodes.Output([
-            self.call_method('_access_secret', args)], lineno=lineno)
+        return nodes.Output(
+            [self.call_method('_access_secret', args)], lineno=lineno
+        )
 
-    def _access_secret(self, name, version):
+    def _access_secret(self, name, version, project):
         return CLIENT.access_secret_version(request={
-            'name': f'projects/{PROJECT_ID}/secrets/{name}/versions/{version}'
+            'name': f'projects/{project}/secrets/{name}/versions/{version}'
         }).payload.data.decode('utf-8')
diff --git a/setup.py b/setup.py
@@ -18,6 +18,7 @@
     packages=setuptools.find_packages(),
     license='Apache 2.0',
     install_requires=[
+        'google-auth',
         'google-cloud-secret-manager>=2.0.0',
         'Jinja2>=2.11.2',
     ],