Google Cloud Functions-使用Google Source Repository时如何安全地存储服务帐户私钥? [英] Google Cloud Functions - How to securely store service account private key when using Google Source Repository?
问题描述
我使用Google Source Repository存储我的Google Cloud Functions. (基本上由Google托管的Git回购)
I use Google Source Repository to store my Google Cloud Functions. (Git repo hosted by Google, basically)
我的功能之一需要访问一个私有的Google表格文件,因此我创建了一个服务帐户. (权限太多,因为很难理解我们应该为服务帐户赋予的确切权限,因此以后很难更新,但我离题了)
One of my function needs to access a private Google Sheet file, I therefore created a Service Account. (With way too many rights since it's so hard to understand what exact rights we should give to a service account, and so hard to update later on, but I digress)
现在,由于明显的原因,显然不建议将服务帐户JSON文件存储在git存储库中.这是它的样子(从值中剥离)
Now, it's clearly not recommended to store the Service Account JSON file in the git repository itself for obvious reasons. Here is what it looks like (stripped from values)
{
"type": "service_account",
"project_id": "",
"private_key_id": "",
"private_key": "",
"client_email": "",
"client_id": "",
"auth_uri": "",
"token_uri": "",
"auth_provider_x509_cert_url": "",
"client_x509_cert_url": ""
}
我一直在寻找环境变量来配置一个功能或类似的东西,但没有找到任何东西.跟踪密钥(并因此可能在多个存储库中复制该文件)确实听起来不是一个好主意.但是我还没有找到任何适当"的方法来做到这一点.而且由于Google Functions的工作方式,除了env变量之外我什么也没想到.
I have been looking at environment variables to configure for a Functions or something alike but didn't find anything. Tracking the key (and therefore potentially duplicating that file on several repositories) really doesn't sound such a good idea. But I haven't found any "proper" way to do it yet. And due to the way Google Functions work, I can't think of anything else but env variables.
推荐答案
将云功能与服务帐户一起使用时,我的解决方案是:
My solution when using cloud function with a service account is:
- 使用Cloud KMS/ vault 加密服务帐户凭据json文件,并将其上传到Cloud Storage.
-
从Cloud Storage中获取服务帐户凭据json文件,并使用具有加密/解密权限的Cloud KMS服务帐户对其进行解密.
- Encrypt your service account credential json file using Cloud KMS/vault and upload it to Cloud Storage.
Fetch service account credential json file from Cloud Storage and decrypt it using a Cloud KMS service account which has encrypt/decrypt permission.
在运行时解析服务帐户凭据json文件,并获取private_key,client_email和projectId.
Parse service account credential json file at runtime and get private_key, client_email and projectId.
将这三个秘密变量传递给客户端库
Pass these three secret variables to the client library
我们将配置变量存储为云函数的环境变量,它们是纯文本格式,但是可以.因为它们不是秘密的东西.
We store config variables as environment variables for cloud function, they are plain text, but it's ok. Because they are not secret things.
我们不得存储诸如纯文本之类的秘密内容,例如云函数环境变量.
We must not store secret things like plain text, e.g cloud function environment variables.
这篇关于Google Cloud Functions-使用Google Source Repository时如何安全地存储服务帐户私钥?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
