0

I'm trying to encrypt/decrypt files with Google Cloud KMS. Encrypting/decrypting with the gcloud command works perfectly. But now I need to pass this to other users who don't/should not have acces to my gcloud account. They should be able to decrypt and encrypt with the curl command.

I've tried: - En/Decrypting with the gcloud command. Works perfectly - En/Decrypting on an google cloud compute engine. Works perfectly - En/Decrypting with curl. Does not work.

base64 appsettings.json.encrypted -w 0 > appsettings.json.encrypted.base

curl -v "https://cloudkms.googleapis.com/v1/projects/projectid/locations/global/keyRings/test/cryptoKeys/quickstart:encrypt" -d "{\"plaintext\":\"$(cat appsettings.json.encrypted.base)\"}"   -H "Authorization:Bearer API KEY"  -H "Content-Type: application/json"

I expect to get the encrypted text.

Right now I'm getting: 

{
  "error": {
    "code": 401,
    "message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
    "status": "UNAUTHENTICATED"
  }
}
TrevorBrooks
  • 3,590
  • 3
  • 31
  • 53
Sam
  • 338
  • 1
  • 4
  • 17
  • Thanks for using GCP and Cloud KMS! What are you putting into "API KEY" in your example? – Tim Dierks May 23 '19 at 20:49
  • I'm using the curl command specified here: https://cloud.google.com/kms/docs/encrypt-decrypt#kms-howto-encrypt-protocol Command with API: curl -s -X POST "https://cloudkms.googleapis.com/v1/projects/[PROJECT_ID]/locations/global/keyRings/test/cryptoKeys/quickstart:encrypt" \ -d "{\"plaintext\":\"[BASE64_ENCODED_INPUT]\"}" \ -H "Authorization:Bearer XXXXXXXXXXXX"\ -H "Content-Type:application/json" – Sam May 23 '19 at 21:14
  • Where did you get the authorization token in this function ("AIzaSy ... Ew")? What identity do you want people to use when encrypting/decrypting? As themselves (their personal accounts would be on the ACL for the key)? If so, you would use the flows described on https://cloud.google.com/docs/authentication/end-user to get an API KEY. – Tim Dierks May 23 '19 at 21:35
  • I created the token on the "API's and services" page. Create credentials -> API-key... I don't know which identity they should have? I just want them to be able te encrypt/decrypt scripted with the use of the API KEY. – Sam May 23 '19 at 23:08
  • The token should start with `ya29.`. I think you may be using the wrong type of API token. As Tim mentioned, you should follow the steps on this page to get a token: https://cloud.google.com/docs/authentication/end-user – sethvargo May 24 '19 at 12:48
  • I looked into the documentation you both provided. But somehow I'm not able to create an API key that starts with ya29. I can only create API keys, when you're both talking about API tokens? I found the following documentation: https://medium.com/@pablo127/google-api-authentication-with-oauth-2-on-the-example-of-gmail-a103c897fd98. They received an acces token starting with ya29 like the one I should use. But I need an way to request this token with only the API KEY and without confirming Oauth 2. – Sam May 24 '19 at 14:11
  • @sethvargo Thanks for your response. Is it even possible to encrypt plaintext with only an API_KEY, without Oauth2? I created an API_KEY and restricted the the to "Cloud Key Management Service (KMS) API" but I still can't get it working. – Sam May 30 '19 at 18:00
  • 1
    I do not believe it's possible to call GCP APIs without an oauth token. – sethvargo May 30 '19 at 18:22

0 Answers0