Created
September 29, 2019 08:26
-
-
Save blakelead/f66d4d8d6a3057570243700241ac03e0 to your computer and use it in GitHub Desktop.
Encrypt decrypt strings with Google KMS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // decrypt function decrypts `cipherSecret` string with Google KMS | |
| function Decrypt(project, location, keyring, key, cipherSecret) { | |
| // parameters for the decryption http call | |
| var params = { | |
| "method" : "POST", | |
| "contentType": "application/json", | |
| "headers": { "Authorization": getOAuth2Token() }, | |
| "payload" : JSON.stringify({ "ciphertext": cipherSecret }) | |
| }; | |
| // create the url with the correct keyring and key names | |
| var url = Utilities.formatString('https://cloudkms.googleapis.com/v1/projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s:decrypt', project, location, keyring, key); | |
| // make the call and extract the decrypted value | |
| var rawResponse = UrlFetchApp.fetch(url, params); | |
| var jsonBody = JSON.parse(rawResponse.getContentText()); | |
| var decodedSecret = Utilities.base64Decode(jsonBody.plaintext); | |
| var plainSecret = Utilities.newBlob(decodedSecret).getDataAsString(); | |
| return plainSecret; | |
| } | |
| // encrypt function encrypts `plainSecret` string with Google KMS | |
| function Encrypt(project, location, keyring, key, plainSecret) { | |
| // parameters for the encryption http call | |
| var params = { | |
| "method" : "POST", | |
| "contentType": "application/json", | |
| "headers": { "Authorization": getOAuth2Token() }, | |
| "payload" : JSON.stringify({ "plaintext": Utilities.base64Encode(plainSecret) }) | |
| }; | |
| // create the url with the correct keyring and key names | |
| var url = Utilities.formatString('https://cloudkms.googleapis.com/v1/projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s:encrypt', project, location, keyring, key); | |
| // make the call and extract the decrypted value | |
| var rawResponse = UrlFetchApp.fetch(url, params); | |
| var jsonBody = JSON.parse(rawResponse.getContentText()); | |
| var cipherSecret = jsonBody.ciphertext; | |
| return cipherSecret; | |
| } | |
| // create and return a Oauth2 service used to generate an Authorization bearer token | |
| function getOAuth2Token() { | |
| var rawCredentialsJson = '*****' // service account in one line | |
| var serviceAccount = JSON.parse(rawCredentialsJson); | |
| var service = OAuth2.createService('GoogleDrive:' + serviceAccount.client_email) | |
| .setAuthorizationBaseUrl(serviceAccount.auth_uri) | |
| .setTokenUrl(serviceAccount.token_uri) | |
| .setPrivateKey(serviceAccount.private_key) | |
| .setIssuer(serviceAccount.client_email) | |
| .setPropertyStore(PropertiesService.getScriptProperties()) | |
| .setCache(CacheService.getUserCache()) | |
| .setLock(LockService.getUserLock()) | |
| .setScope('https://www.googleapis.com/auth/cloudkms https://www.googleapis.com/auth/cloud-platform'); | |
| return 'Bearer ' + service.getAccessToken(); | |
| } | |
| // used for tests purposes (remove the trailing _ for debugging) | |
| function test_() | |
| { | |
| var kms_project_id = "project_id" | |
| var kms_location = "global" | |
| var kms_keyring = "keyring_name" | |
| var kms_key = "key_name" | |
| var plainData = "salut-les-terriens" | |
| Logger.log("Plain data: " + plainData); | |
| var cipherData = Encrypt(kms_project_id, kms_location, kms_keyring, kms_key, plainData); | |
| Logger.log("Cipher data: " + cipherData); | |
| decryptedData = Decrypt(kms_project_id, kms_location, kms_keyring, kms_key, cipherData); | |
| Logger.log("Decrypted data: " + decryptedData); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment