[英]Use Google Cloud Secrets when initializing code
I have this code to retrieve the secrets:我有这个代码来检索秘密:
import {SecretManagerServiceClient} from "@google-cloud/secret-manager";
const client = new SecretManagerServiceClient();
async function getSecret(secret: String, version = "latest") {
const projectID = process.env.GOOGLE_CLOUD_PROJECT;
const [vs] = await client.accessSecretVersion({
name: `projects/${projectID}/secrets/${secret}/versions/${version}`
});
const secretValue = JSON.parse(vs.payload.data.toString());
return secretValue;
}
export {getSecret};
I would like to replace the process.env.SENTRY_DNS
with await getSecrets("SENTRY_DNS")
but I can't call a promise ( await
) outside an async
function.我想用await getSecrets("SENTRY_DNS")
替换process.env.SENTRY_DNS
,但我不能在async
function 之外调用 promise ( await
)。
Sentry.init({
dsn: process.env.SENTRY_DNS,
environment: Config.isBeta ? "Beta" : "Main"
});
function sentryCreateError(message, contexts) {
Sentry.captureMessage(message, {
level: "error", // one of 'info', 'warning', or 'error'
contexts
});
}
What are the best practices with Google Secrets? Google Secrets 的最佳做法是什么? Should I be loading the secrets once in a "config" file and then call the values from there?我应该在“配置”文件中加载一次秘密,然后从那里调用值吗? If so, I'm not sure how to do that, do you have an example?如果是这样,我不知道该怎么做,你有一个例子吗?
Leaving aside your code example (I don't work with JS anyway), I would think about a few different questions, answers on which may affect the design.撇开您的代码示例(无论如何我不使用 JS),我会考虑一些不同的问题,这些问题的答案可能会影响设计。 For example:例如:
Suppose, for example, that is going to be a cloud function.例如,假设这将是一个云 function。 The next question -下一个问题——
Would you prefer to store the secret values in a special environment variables, or in the secret manager?您希望将秘密值存储在特殊的环境变量中,还是存储在秘密管理器中? The first option is faster, but less secure - as, for instance, everybody, who has access tot he cloud function details in the console, might see those environment variable values.第一个选项更快,但不太安全 - 例如,每个可以在控制台中访问云 function 详细信息的人都可能会看到这些环境变量值。
Load secret values into the memory on initialization?在初始化时将秘密值加载到 memory 中? Or on every invocation?还是在每次调用时? The first option is faster, but might cause some issues if the secrete values are modified (gradual replacement of old values with new, when some instances are terminated, and new instances are initialized).第一个选项更快,但如果修改秘密值可能会导致一些问题(当某些实例终止并初始化新实例时,用新值逐渐替换旧值)。
The second option may need some additional discussion.第二个选项可能需要一些额外的讨论。 It might be possible to get the values asynchronously.可能可以异步获取值。 In what circumstances it might be useful?在什么情况下可能有用? I think - only in case your code has something else to do, while waiting for the secret values, which are required to do (probably) the main job of the cloud function.我认为 - 只有在您的代码有其他事情要做的情况下,在等待秘密值时,这些值是(可能)完成云 function 的主要工作所必需的。 How much can we shave on that?我们可以剃掉多少? - probably a few milliseconds used on the Secret Manager API call. - 可能在 Secret Manager API 调用中使用了几毫秒。 Any drawbacks?有什么缺点吗? - code complexity, as somebody is to maintain the code in the future. - 代码复杂性,因为将来有人要维护代码。 Is that performance gain still overweight?这种性能提升是否仍然超重? - we probably can return to the item 2 in the list above and think about storing secrets in environment variables in that case. - 我们可能可以回到上面列表中的第 2 项,并考虑在这种情况下将秘密存储在环境变量中。
What about the first option?第一个选项呢? Again - if the performance is the priority - return back to the item 2 above, otherwise - is the code simplicity and maintainability the priority, and we don't need any asynchronous work here?再次 - 如果性能是优先级 - 回到上面的第 2 项,否则 - 代码的简单性和可维护性是优先级,我们在这里不需要任何异步工作吗? May be the answer of that question depends on skills, knowledge and a financial budget of your company/team, rather than on the technical preferences.这个问题的答案可能取决于您公司/团队的技能、知识和财务预算,而不是技术偏好。
Some concluding notes.一些结束语。 My context, experience, budget, requirements - may be completely different from your case.我的背景、经验、预算、要求——可能与你的情况完全不同。 My assumptions (ie the code is for a cloud function) - can be completely wrong as well... Thus, I would suggest to consider my writing with some criticism, and use ideas which are only relevant for your specific situation.我的假设(即代码用于云功能) - 也可能是完全错误的......因此,我建议以一些批评来考虑我的写作,并使用仅与您的具体情况相关的想法。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.