Google Cloud Function:将秘密公开为环境变量?
[英]Google Cloud Function: Expose Secret as Environment Variable?
问题描述
I have set up a few Google Cloud Functions that access various APIs in their implementation.
我已经设置了一些 Google Cloud Functions,可以在其实现中访问各种 API。 Naturally, these APIs require tokens or username/passwords to work.当然,这些 API 需要令牌或用户名/密码才能工作。 I have created these secrets in Google Cloud Secret Manager and can successfully access them via the Cloud Function using the Google Cloud Console UI.我已经在 Google Cloud Secret Manager 中创建了这些机密,并且可以使用 Google Cloud Console UI 通过 Cloud Function 成功访问它们。
My question is not about implementation but what the difference is between reference methods:我的问题不是关于实现,而是参考方法之间的区别是什么:
- Mounting Secret as a volume?将 Secret 安装为一个卷?
- Exposing Secret as environment variable?将秘密公开为环境变量?
All my functions use the second option.我所有的功能都使用第二个选项。 Is this a bad practice and/or does this create a security leak?这是一种不好的做法和/或这会造成安全漏洞吗? I did a search and couldn't find anything definitive and Google's documentation doesn't mention anything about the differences.我进行了搜索,但找不到任何确定的信息,而且Google 的文档也没有提及任何差异。 The word "expose" has me worried, thinking that my Secrets would be accessible by others. “暴露”这个词让我很担心,认为我的秘密会被其他人看到。 I would love a pros/cons of each that I and future users could reference.我希望我和未来的用户可以参考每一个的优点/缺点。
Thank you!谢谢!
1 个解决方案
解决方案1
2 已采纳 2022-11-14 22:04:56
Using Secret Manager is a good practice.使用 Secret Manager 是一种很好的做法。
The primary difference between mounting a secret as a volume versus as an environment variable is the access method and when the secret is read from Secret Manager.将机密安装为卷与安装为环境变量之间的主要区别在于访问方法以及何时从 Secret Manager 读取机密。
Mounting a secret as a volume reads the secret each time the volume/file is read.每次读取卷/文件时,将机密作为卷读取机密。 If you are referencing the latest tag, updates to secrets will update the secret in Functions the next time you read the volume/file.如果您引用的是latest标签,则对机密的更新将在您下次阅读卷/文件时更新 Functions 中的机密。
Exposing a secret as an environment variable reads the secret at instance cold start.将秘密公开为环境变量会在实例冷启动时读取秘密。 That means if you update the secret, the Function instance will continue to use the last value even if you specify latest .这意味着如果您更新密钥,Function 实例将继续使用最后一个值,即使您指定了latest也是如此。 Only on instance cold start is the new secret read from Secret Manager.只有在实例冷启动时,才会从 Secret Manager 读取新的 Secret。 If you have multiple function instances running, some might use the previous value and some might use the current value.如果您有多个 function 实例在运行,一些可能会使用以前的值,一些可能会使用当前值。 That depends on when each Function instance was started.这取决于每个 Function 实例何时启动。
Mounting a secret as a volume can be more expensive because the secret might be read more often.将秘密作为卷安装可能会更昂贵,因为秘密可能会被更频繁地读取。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.