[英]How do i handle secrets in Google Cloud Functions?
What is the common practice here?这里的常见做法是什么? There seems to be no tools provided by
gcloud
. gcloud
好像没有提供任何工具。 I'm deploying functions from local machine for now, so I can hardcode secrets, but this seems inappropriate.我现在正在从本地机器部署功能,所以我可以对秘密进行硬编码,但这似乎不合适。 Also, what about CI/CD?
另外,CI/CD 呢? I would need to pass secrets as environment variables in this case.
在这种情况下,我需要将机密作为环境变量传递。 Is this even possible atm?
这甚至可能吗?
You can use the Secret Manager for this.您可以为此使用Secret Manager 。 Follow the instructions on the link to add a secret.
按照链接上的说明添加密钥。
The only GOTCHA I found is that by default the service account doesn't have read-access to the secrets, you've got to manually grant permissions, like so:我发现的唯一 GOTCHA 是默认情况下服务帐户没有对机密的读取访问权限,您必须手动授予权限,如下所示:
Since making my comment, I've found a relatively simple way to do this - provide a config .json
file.自从发表评论以来,我找到了一种相对简单的方法 - 提供一个 config
.json
文件。 Here's an example I hacked together based on their Slack function example:这是我根据他们的 Slack 函数示例编写的示例:
config.json file in the same directory as index.js : config.json文件在与index.js相同的目录中:
{
"foo": "bar"
}
index.js索引.js
const config = require('./config.json');
exports.envTest = (req, res) => {
res.status(200).send(config.foo);
};
When you deploy the function and go to the URL, you should get the response bar
.当您部署函数并转到 URL 时,您应该会看到响应
bar
。
Pros and cons:优缺点:
Pros:优点:
.gitignore
to ensure your secrets don't end up the repo.gitignore
以确保您的机密不会最终出现在 repo 中Cons:缺点:
On the whole, it's a far cry from a real secrets management system, but it's workable enough to hold me over until this feature eventually makes it into the Cloud Functions core.总的来说,它与真正的机密管理系统相去甚远,但它足以让我坚持下去,直到此功能最终成为 Cloud Functions 核心。
You should use Cloud Key Management Service(KMS) .您应该使用Cloud Key Management Service(KMS) 。
Don't push pure secrets to Cloud Functions with files or environment variables.不要将带有文件或环境变量的纯机密推送到 Cloud Functions。
One solution is followings:一种解决方案如下:
[Ref] Secret management using the Google Cloud Platform [Ref] 使用 Google Cloud Platform 进行机密管理
As of 2021-08-25, the preferred way to handle secrets in Google Cloud Functions is with the native Secret Manager integration .截至 2021-08-25,在 Google Cloud Functions 中处理机密的首选方式是使用本机 Secret Manager 集成。 This integration enables you to mount secrets in Google Secret Manager via environment variables or the filesystem.
此集成使您能够通过环境变量或文件系统在 Google Secret Manager 中装载机密。
Create or migrate your secret to Google Secret Manager (there's a generous always-free tier):创建您的秘密或将您的秘密迁移到 Google Secret Manager(有一个慷慨的永远免费的层):
$ gcloud secrets create "my-secret" --replication-policy="automatic" --data=...
Update your Cloud Function deployment to reference the secret:更新您的云 Function 部署以引用秘密:
As an environment variable:作为环境变量:
$ gcloud beta functions deploy "my-function" --set-secrets "MY_SECRET=my-secret:latest"
Via the filesystem:通过文件系统:
$ gcloud beta functions deploy "my-function" --set-secrets "/path/to/my/secret=my-secret:latest"
To practice the principle of least privilege, it's recommended that each Cloud Function be deployed as a dedicated service account.为了实践最小权限原则,建议将每个 Cloud Function 部署为专用服务帐户。 You need to grant that service account access to the secrets your application requires.
您需要授予该服务帐户访问您的应用程序所需机密的权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.