GCP KMS加密环境变量并将加密的密钥通过cloudbuild.yaml传递给Google App Engine
[英]GCP kms encrypt env var and passing encrypted key through cloudbuild.yaml to google app engine
问题描述
I'm trying to encrypt env vars for database in Cloud SQL in my RoR app deploying to Google App Engine. 
我正在尝试在部署到Google App Engine的RoR应用程序中为Cloud SQL中的数据库加密环境变量。 Following this doc https://cloud.google.com/cloud-build/docs/securing-builds/use-encrypted-secrets-credentials 遵循此文档https://cloud.google.com/cloud-build/docs/securing-builds/use-encrypted-secrets-credentials
However, I have an error when running both gcloud builds submit and gcloud app deploy . 但是,同时运行gcloud builds submit gcloud app deploy和gcloud app deploy时出现错误。 Both are error out with: 两者都有错误:
Failure status: UNKNOWN: Error Response: [4] DEADLINE_EXCEEDED / build step 0 "gcr.io/cloud-builders/gcloud" failed: exit status 1.
I then check the gcloud builds described shows that the app failed to deploy, however, DATABASE_PASS shows working/queued. 然后,我检查所gcloud builds described的gcloud builds described表明该应用未能部署,但是DATABASE_PASS显示工作/排队。 I have increase the Cloud Build component in gcloud sdk to 1000 and testing timeout: in cloudbuild.yaml; 我将gcloud sdk中的Cloud Build组件增加到1000,并测试了超时: cloudbuild.yaml; both options didn't improve anything. 两种选择都没有任何改善。
Before using Cloud Build my app was working but I'm erasing the need of credentials and using encrypted credentials for CI/CD pipeline. 在使用Cloud Build之前,我的应用程序可以正常工作,但是我消除了对凭证的需求,并且对CI / CD管道使用了加密的凭证。 Also, would like to encrypt more than one env var in my app.yaml . 另外,想对我的app.yaml多个env var进行加密。
<cloudbuild.yaml>
steps:
- name: 'gcr.io/cloud-builders/gcloud'
args: ['app','deploy','app-beta.yaml']
- name: 'us.gcr.io/project_ID/image_name'
#args: [ 'app', 'deploy', 'app-beta.yaml' ]
secretEnv: [ "DATABASE_PASS" ]
secrets:
- kmsKeyName: projects/Project_id/locations/global/keyRings/Misc/cryptoKeys/Random
secretEnv:
DATABASE_PASS:< base64 encoded encryption>
<app.yaml>
runtime: custom
env: flex
service: authentication
resources:
cpu: 2
memory_gb: 2.5
disk_size_gb: 10
beta_settings:
cloud_sql_instances: '/cloudsql/project_id:us-central1:sqlname'
network:
name: default
skip_files:
- .ruby-gemset
- .env
- .bundle
- .byebug_history
- .vscode/
- .idea/
- storage/
- vendor/
- log/
- tmp/
#liveness_check:
#path: '/liveness-check'
# initial_delay_sec: 300
# check_interval_sec: 30
# timeout_sec: 4
# failure_threshold: 2
# success_threshold: 2
#
# readiness_check:
# path: '/readiness-check'
# check_interval_sec: 5
# timeout_sec: 4
# failure_threshold: 2
# success_threshold: 2
# app_start_timeout_sec: 300
env_variables:
SECRET_KEY_BASE: 'SECRET_KEY'
RAILS_ENV: 'redacted'
RACK_ENV: 'redacted'
SERVICE_NAME: 'redacted'
REDIS_HOST: '10.0.0.3'
REDIS_PORT: 6379
TOTP_SECRET: 'TOTP_SECRET'
DATABASE_USER: 'postgres'
DATABASE_PASS: 'DATABASE_PASS'
DATABASE_NAME: 'postgres'
DATABASE_HOST: '/cloudsql/project_id:us-central1:sqlname'
RAILS_LOG_TO_STDOUT: enabled
RAILS_SERVE_STATIC_FILES: enabled
LANG: en_US.UTF-8
1 个解决方案
解决方案1
1 2019-02-21 17:29:25
I found the problem, one was that when I used the gcloud kms encryption. 我发现了问题,一个是当我使用gcloud kms加密时。 I wasn't encrypting anything. 我没有加密任何东西。 So was passing in an empty value. 传递空值也是如此。 I'll throw up my solution on a blog and hyperlink to it. 我将把解决方案放在博客上并提供超链接。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.