在 gitlab CI/CD 中使用 GOOGLE_APPLICATION_CREDENTIALS 的最佳实践
[英]Best practices for using GOOGLE_APPLICATION_CREDENTIALS in gitlab CI/CD
问题描述
I'm trying to make GitLab pipelines that deploy GCP instances through the GCP terraform provider .
我正在尝试制作 GitLab 管道,通过GCP terraform provider部署 GCP 实例。 Other platforms like AWS have environmental variables like $AWS_ACCESS_KEY_ID and $AWS_SECRET_ACCESS_KEY that can be used to authenticate requests, but GCP seems to use service account credential files instead. AWS 等其他平台具有$AWS_ACCESS_KEY_ID和$AWS_SECRET_ACCESS_KEY等环境变量,可用于对请求进行身份验证,但 GCP 似乎改用服务帐户凭证文件。
I could create a CI gitlab file variable to contain my GCP service account credential file, but I can only add it in an insecure way.我可以创建一个 CI gitlab 文件变量来包含我的 GCP 服务帐户凭证文件,但我只能以不安全的方式添加它。 If I attempt to mask my file variable under the GitLab ci-cd settings it produces the error message This variable can not be masked.如果我尝试在 GitLab ci-cd 设置下屏蔽我的文件变量,它会生成错误消息This variable can not be masked.
What is the proper best practice for storing GCP service account credential files in GitLab CI/CD environmental variables?在 GitLab CI/CD 环境变量中存储 GCP 服务帐户凭证文件的正确最佳做法是什么?
3 个解决方案
解决方案1
0 2021-12-13 03:21:26
One approach is to take the environment variable and write it out as a file.一种方法是获取环境变量并将其作为文件写出。 When you add variable in the newer versions of Gitlab, there is a dropdown that lets you choose between "Variable" and "File".当您在 Gitlab 的较新版本中添加变量时,有一个下拉菜单可让您在“变量”和“文件”之间进行选择。 If you put the contents in the value field, you can use a cp $VARIABLE_NAME name-of-file.bob .如果将内容放在值字段中,则可以使用cp $VARIABLE_NAME name-of-file.bob 。
You don't need to mask it because it is never written to the log (unless you cat it), but I do recommend you check the "Protect" check box which means it will only be used on protected branches.您不需要屏蔽它,因为它永远不会写入日志(除非您 cat 它),但我建议您选中“保护”复选框,这意味着它只会在受保护的分支上使用。
A second approach is to encrypt it and decrypt it using a password which is in a protected variable.第二种方法是使用受保护变量中的密码对其进行加密和解密。 It would require getting another program in the build, but that might work for you.这将需要在构建中获取另一个程序,但这可能对您有用。
A third is use something like age to check in the encrypted file, write out a SSH as a fancy decryption key, and then package the SSH.第三种是使用年龄之类的东西来检查加密文件,写出 SSH 作为花式解密密钥,然后写出 package SSH。
But, the first approach is probably going to be your best bet.但是,第一种方法可能是您最好的选择。
解决方案2
0 2022-11-16 07:01:55
The best practice way to achieve this is using Workload Identity Federation .实现这一目标的最佳实践方法是使用Workload Identity Federation 。
Documentation on how to set this up in Gitlab CI/CD is available . 有关如何在 Gitlab CI/CD 中进行设置的文档可用。 Unfortunately it is not in GA yet and thus not suited for production use.不幸的是,它还没有正式发布,因此不适合生产使用。
解决方案3
0 2022-12-12 21:15:59
Best practice in terms of security:安全方面的最佳实践:
- You need to generate a JSON key file containing the credentials that GitLab will use to authenticate Google Cloud.您需要生成一个 JSON 密钥文件,其中包含 GitLab 将用于对 Google Cloud 进行身份验证的凭据。
- In Gitlab ->
Settings->CI/CDexpandSecret variablesarea在 Gitlab -> Settings->CI/CD展开Secret variables区域 - Here goes your GOOGLE_APPLICATION_CREDENTIALS as a key and additionally with the value the content of step 1这是您的 GOOGLE_APPLICATION_CREDENTIALS 作为键,另外还有第 1 步的内容的值
- Refer to your key value pair in the configuration file in your pipeline在管道的配置文件中引用您的键值对
For example like this in your pipeline configuration file (step 4):例如在您的管道配置文件中这样(第 4 步):
variables:
GOOGLE_APPLICATION_CREDENTIALS: $GOOGLE_APPLICATION_CREDENTIALS
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.