[英]Retrieving environment variables in Google Cloud stored in secret manager
I am unable to retrieve an environment variable accessed in code in my bitbucket deployed application.我无法检索在我的 bitbucket 部署应用程序中的代码中访问的环境变量。 When my application starts, I want to fetch db uri, like this:
const uri = process.env.MONGODB_CONNECTION_URI;
当我的应用程序启动时,我想获取 db uri,如下所示:
const uri = process.env.MONGODB_CONNECTION_URI;
Whenever I build and push the artifact from local, my environment variables are successfully passed from .env-files I have stored locally on my machine.每当我从本地构建和推送工件时,我的环境变量都会成功地从我本地存储在我的机器上的 .env 文件传递。 Obviously I do not want to commit this file.
显然我不想提交这个文件。
When I use Bitbucket Pipelines for deploying my application to GCP.当我使用 Bitbucket Pipelines 将我的应用程序部署到 GCP 时。 I am able to successfully push a new artifact to GCP.
我能够成功地将新工件推送到 GCP。 But on application startup, it is unable to retrieve my db-uri.
但是在应用程序启动时,它无法检索我的 db-uri。
This article is pretty close to describing what I want to achieve, but I don't see how this addresses the fact that the property value is an actual secret that I cannot commit to my repo, and need to access at application startup from somewhere . 这篇文章非常接近于描述我想要实现的目标,但我没有看到这如何解决这样一个事实,即属性值是我无法提交到我的存储库的实际秘密,并且需要在应用程序启动时从某处访问。
This question describes how to access variables from secret manager in the Cloud Pipeline, not in the application itself. 这个问题描述了如何从 Cloud Pipeline 中的秘密管理器访问变量,而不是在应用程序本身中。
I use the predefined google-app-engine-deploy-pipe
.我使用预定义的
google-app-engine-deploy-pipe
。 Relevant parts of my bitbucket-pipelines.yml looks like this:我的 bitbucket-pipelines.yml 的相关部分如下所示:
branches:
develop:
- step:
name: Deploy
deployment: test
script:
- pipe: atlassian/google-app-engine-deploy:1.0.0
variables:
KEY_FILE: $GCP_SECRET
PROJECT: 'test-project'
DEPLOYABLES: 'test.yaml'
PROMOTE: 'false'
STOP_PREVIOUS_VERSION: 'false'
The GCP_SECRET
is the base-64-encoded GCP service account, fetched from secret inside Bitbucket, working nicely. GCP_SECRET
是 base-64 编码的 GCP 服务帐户,从 Bitbucket 内部的秘密获取,运行良好。
Inside test.yml
, I have the following:在
test.yml
,我有以下内容:
runtime: nodejs
env: flex
instance_class: B1
manual_scaling:
instances: 1
env_variables:
NODE_ENV: "test"
MONGODB_CONNECTION_URI: $MONGODB_CONNECTION_URI
So my issue is the MONGODB_CONNECTION_URI
.所以我的问题是
MONGODB_CONNECTION_URI
。 I have tried adding a new secret in GCP Secret Manager where I have an entry MONGODB_CONNECTION_URI
with actual connection string, but my application is unable to find this property at startup.我尝试在 GCP Secret Manager 中添加一个新的 secret,其中我有一个带有实际连接字符串的条目
MONGODB_CONNECTION_URI
,但我的应用程序在启动时无法找到此属性。
Where am I going wrong?我哪里错了? Is there something fundamental in how to pass secrets that I have misunderstood?
在如何传递我误解的秘密方面有什么基本的东西吗?
Can I define and pass a variable inside Bitbucket deployment pipeline?我可以在 Bitbucket 部署管道中定义并传递一个变量吗? Or is the correct way to access the environment variable directly from Google Cloud Platform?
还是直接从 Google Cloud Platform 访问环境变量的正确方法?
I would suggest you refer to this documentation link in order to create and access a secret manager.我建议您参考此文档链接以创建和访问秘密管理器。
This documentation link provides resources for using Secret Manager with various Google Cloud services.此文档链接提供了将 Secret Manager 与各种 GCP 服务结合使用的资源。
For instance, Access Secret Manager secrets and expose them as environment variables or via the filesystem from Cloud Functions.例如,访问 Secret Manager 机密并将它们作为环境变量或通过 Cloud Functions 的文件系统公开。 See using Secret Manager secrets with Cloud Functions for detailed information.
有关详细信息,请参阅将Secret Manager 密钥与 Cloud Functions 结合使用。
Ensure for Adding a secret version requires the Secret Manager Admin role ( roles/secretmanager.admin ) on the secret, project, folder, or organization.确保添加密钥版本需要密钥、项目、文件夹或组织的 Secret Manager 管理员角色 ( roles/secretmanager.admin )。 Roles can't be granted on a secret version.
不能在秘密版本上授予角色。
Refer to this discussion on a similar question.请参阅此讨论了类似的问题。
I was able to resolve this by the help of this guide我能够在本指南的帮助下解决这个问题
I find the solution to be a little bit hacky, but at least it works nicely for me now.我发现该解决方案有点笨拙,但至少现在对我来说效果很好。 Basically, I:
基本上,我:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.