quota - 如何遍历组织中的所有 google cloud kms 密钥而不会遇到读取配额?
问题描述
我试图找出是否有密钥的版本超过一年并将其轮换期设置为从现在起 24 小时。不幸的是,每个列表密钥环调用都算作一个key.read,其中有一个非常小的配额(~300 / min)除了增加它们之外,还有其他方法可以解决这些配额吗?我正在尝试在云函数中定期运行此代码,因此存在运行时限制,因此我不能只等待配额重置。
def list_keys(project):
client = kms_v1.KeyManagementServiceClient()
#this location list is based on a running of `gcloud kms locations list` and represents a where a key could be created
location_list = ['asia','asia-east1','asia-east2','asia-northeast1','asia-northeast2',
'asia-south1','asia-southeast1','australia-southeast1','eur4','europe',
'europe-north1','europe-west1','europe-west2','europe-west3','europe-west4',
'europe-west6','global','nam4','northamerica-northeast1','southamerica-east1',
'us','us-central1','us-east1','us-east4','us-west1','us-west2']
for location in location_list:
key_ring_parent = client.location_path(project,location)
key_ring_list = client.list_key_rings(key_ring_parent)
for key_ring in key_ring_list:
parent = client.key_ring_path(project,location,format_keyring_name(key_ring.name))
for key in client.list_crypto_keys(parent):
start_time = key.primary.create_time # need to use primary to get latest version of the key
now = time.time()
now_seconds = int(now)
elapsed = now_seconds - start_time.seconds
next_rotate_age =(key.next_rotation_time.seconds - now_seconds) + elapsed
days_elapsed = elapsed/3600/24
print(key.name," is this many days old: ", days_elapsed)
print(key.name," will be this many days old when it is scheduled to rotate: ", next_rotate_age/3600/24)
#if the key is a year old set it to rotate tomorrow
if days_elapsed > 364:
#client.
update_mask = kms_v1.types.UpdateCryptoKeyRequest.update_mask
#print(update_mask)
new_rotation_time = now_seconds + (3600*24) # 1 day from now because can't set less than 24 hrs notice on certain keys
key.next_rotation_time.seconds = new_rotation_time
update_mask = {'paths':{'next_rotation_time': new_rotation_time}}
print(client.update_crypto_key(key, update_mask))
解决方案
云资产清单是一种选择吗?你可以运行类似的东西
$ gcloud asset export --organization YOUR_ORG_ID \
--asset_types cloudkms.googleapis.com/CryptoKey \
--content-type RESOURCE \
--output-path "gs://YOUR_BUCKET/NEW_FILE"
输出文件将包含组织中每个密钥的完整CryptoKey 资源,因此您无需向 KMS API 发送大量 List/Get 请求。
推荐阅读
- ajax - POST http://127.0.0.1:8000/addcontact 500(内部服务器错误)
- c# - 如何使用文本框搜索 Datagridview(存储过程数据)
- codeigniter - Codeigniter 解析器库停止工作
- javascript - 在 Visual Studio 的浏览器模拟器中运行 JavaScript 时遇到问题
- php - 引用每个数组值
- javascript - ajax成功和location.Reload()后如何在div中显示消息
- ios - 我可以在 React Native 中创建 App 的组件吗?
- java - 我可以在 RecyclerViews customAdapter-onBindViewHolder() 中传递一个循环吗?
- r - 在循环内删除观察结果不适用于调解
- java - 用于 BGP 排名的 java Api