安全服务帐户凭据 json 密钥 kotlin
[英]Secure Service Account Credentials json key kotlin
问题描述
So, I'm trying to get the Service Application Credentials on my localhost and I'm encountering some problems.
因此,我试图在本地主机上获取服务应用程序凭据,但遇到了一些问题。 I created and downloaded the json key and I want to secure them instead of letting them in plain text.我创建并下载了 json 密钥,我想保护它们而不是让它们以纯文本形式出现。
I want to know the best way to do this.我想知道最好的方法。 I have this code:我有这段代码:
fun getServiceAccountCredentials(
pathToFallBackCredentialsFile: String
): ServiceAccountCredentials {
return try {
getApplicationDefault() as ServiceAccountCredentials
} catch (e: IOException) {
return ServiceAccountCredentials.fromStream(FileInputStream(pathToFallBackCredentialsFile))
} catch (e: ClassCastException) {
return ServiceAccountCredentials.fromStream(this::class.java.classLoader.getResourceAsStream(pathToFallBackCredentialsFile))
}
}
The problem here is that my JSON file is exposed in plain text in my repository.这里的问题是我的 JSON 文件在我的存储库中以纯文本形式公开。
2 个解决方案
解决方案1
1 2022-03-16 14:23:40
Options选项
- Encrypt them, then let the app decrypt them.加密它们,然后让应用程序解密它们。 However, if the decrypt key is in the same repository then you have only moved the problem to another place, albeit the someone needs someone to read/execute your code to obtain them.但是,如果解密密钥在同一个存储库中,那么您只是将问题转移到了另一个地方,尽管有人需要有人阅读/执行您的代码才能获得它们。
- How is your app going to be running, eg inside a Docker container in something like Kube.netes or another app running in your data centre?您的应用程序将如何运行,例如在 Kube.netes 或在您的数据中心运行的其他应用程序中的 Docker 容器内? If so then you pass the responsibility down the line to that app container manager to inject at startup-time the credentials (and other environment specifics), eg using some like Kube.netes Configuration Maps.如果是这样,那么您将责任向下传递给该应用程序容器管理器,以在启动时注入凭据(和其他环境细节),例如使用诸如 Kube.netes 配置映射之类的东西。 We do this and keep the production config maps in a separate DevOps-only repository.我们这样做并将生产配置映射保存在单独的 DevOps-only 存储库中。
- There are specialist secrets management solutions for exactly this problem and your app calls out at run time to a secrets manager for the secrets it needs, eg https://www.hashicorp.com/products/vault or some custom to cloud vendor有针对此问题的专业机密管理解决方案,您的应用程序会在运行时调用机密管理器以获取所需的机密,例如https://www.hashicorp.com/products/vault或云供应商的一些自定义
解决方案2
0 2022-03-28 10:25:57
I found a solution.我找到了解决办法。
I activated the Secret Manager from GCP and I've added the JSON file there.我从 GCP 激活了 Secret Manager,并在那里添加了 JSON 文件。
To take the secret in a java/kotlin application(without spring, if you have spring you can use "spring-cloud-gcp-starter-secretmanager"), I used the following piece of code.为了在 java/kotlin 应用程序中获取秘密(没有 spring,如果你有 spring,你可以使用“spring-cloud-gcp-starter-secretmanager”),我使用了以下代码。
fun accessSecretVersion(secretId: String?, versionId: String?): String {
val googleCredentials = GoogleCredentials.getApplicationDefault() as UserCredentials
val projectId = googleCredentials.quotaProjectId
return getSecret(projectId, secretId, versionId)
}
fun getSecret(projectId: String?, secretId: String?, versionId: String?): String {
SecretManagerServiceClient.create().use { client ->
val secretVersionName = SecretVersionName.of(projectId, secretId, versionId)
val response = client.accessSecretVersion(secretVersionName)
return response.payload.data.toStringUtf8()
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.