我如何处理 Google Cloud Functions 中的机密？

Question

What is the common practice here? There seems to be no tools provided by gcloud . I'm deploying functions from local machine for now, so I can hardcode secrets, but this seems inappropriate. Also, what about CI/CD? I would need to pass secrets as environment variables in this case. Is this even possible atm?

Answer 1

You can use the Secret Manager for this. Follow the instructions on the link to add a secret.

The only GOTCHA I found is that by default the service account doesn't have read-access to the secrets, you've got to manually grant permissions, like so:

Answer 2

Since making my comment, I've found a relatively simple way to do this - provide a config .json file. Here's an example I hacked together based on their Slack function example:

config.json file in the same directory as index.js :

{
  "foo": "bar"
}

index.js

const config = require('./config.json');

exports.envTest = (req, res) => {
  res.status(200).send(config.foo);
};

When you deploy the function and go to the URL, you should get the response bar .

Pros and cons:

Pros:

1. Easy to set up and configure right in your IDE
2. Config file can be put into .gitignore to ensure your secrets don't end up the repo
3. File itself can be stored in a secure location and only given to individual responsible for deploying the functions

Cons:

1. Clunky in comparison to proper secret management
2. Requires attention to ensure the file doesn't fall into the wrong hands
3. File can be read in plaintext in the Google Cloud console by looking at the function source

On the whole, it's a far cry from a real secrets management system, but it's workable enough to hold me over until this feature eventually makes it into the Cloud Functions core.

Answer 3

You should use Cloud Key Management Service(KMS) .
Don't push pure secrets to Cloud Functions with files or environment variables.

One solution is followings:

1. Create key on Cloud KMS
2. Encrypt secret file with that key
3. Upload encrypted secret file to Google Cloud Storage(GCS) (Accessible by specified user)
4. In Cloud Function Execution, get uploaded secret file from GCS, decrypt, and use it

[Ref] Secret management using the Google Cloud Platform

Answer 4

As of 2021-08-25, the preferred way to handle secrets in Google Cloud Functions is with the native Secret Manager integration . This integration enables you to mount secrets in Google Secret Manager via environment variables or the filesystem.

1. Create or migrate your secret to Google Secret Manager (there's a generous always-free tier):

    $ gcloud secrets create "my-secret" --replication-policy="automatic" --data=...

2. Update your Cloud Function deployment to reference the secret:

   As an environment variable:

    $ gcloud beta functions deploy "my-function" --set-secrets "MY_SECRET=my-secret:latest"

   Via the filesystem:

    $ gcloud beta functions deploy "my-function" --set-secrets "/path/to/my/secret=my-secret:latest"

To practice the principle of least privilege, it's recommended that each Cloud Function be deployed as a dedicated service account. You need to grant that service account access to the secrets your application requires.