将函数源代码添加到源代码控制存储库时，如何正确处理local.settings.json文件中的机密 [英] How to properly handle secrets in a local.settings.json file when adding the function source code to a source control repository

问题描述

我的 local.settings.json 文件中有一个Azure函数，其中包含一些秘密.

I have an Azure function with a few secrets in its local.settings.json file.

我想在GitHub上共享函数源代码的最佳实践是什么?

What are the best practices when I want to share the source code of my function in GitHub?

到目前为止，我可以想到以下选项，但是每个选项都有一些问题或挑战:

So far I can think of the following options, but each option has some issues or challenges:

1-记住，每次提交更改时，都要更改 local.settings.json 中的秘密.提交完成后，撤消更改，因此我可以运行该函数并对其进行调试.此选项非常容易出错且乏味.

1- Remember to change the secrets in local.settings.json anytime I commit my changes. Once the commit is done, undo changes, so I can run the function and debug it. This option is very error-prone and tedious.

2-将 local.settings.json 添加到.gitignore文件.通过这种方法，从GitHub获得代码的人需要记住恢复 local.settings.json

2- Add local.settings.json to the .gitignore file. With this approach, people who get the code from GitHub need to remember to restore the local.settings.json

3-将机密存储在Azure Key Vault中.但这对于我正在创建的这么小的功能来说太过分了.

3- Store the secrets in Azure Key Vault. But this is too much for such little function that I am creating.

我想问一下如何处理源代码控制存储库中 local.settings.json 中的秘密的最佳实践是什么.

I wanted to ask here what are the best practices how to handle the secrets in local.settings.json in a source control repository.

推荐答案

为此处所述，您可以为您的机密添加另一个配置文件( secret.settings.json ).

As described here, you can add another config file (secret.settings.json) for your secrets.

{
    "ConnectionStrings": {
        "SqlConnectionString": "server=myddatabaseserver;user=tom;password=123;"
    },
    "MyCustomStringSetting": "Override Some Name",
    "MailSettings": {
        "PrivateKey": "xYasdf5678asjifSDFGhasn1234sDGFHg"
    }
}

将新的设置文件添加到 .gitignore 中.然后从 .gitignore 中删除 local.settings.json ，并编辑所有秘密值.

Add your new settings file to the .gitignore. Then remove local.settings.json from the .gitignore and redact any secret values.

{
    "IsEncrypted": false,
    "Values": {
        "AzureWebJobsStorage": "UseDevelopmentStorage=true",
        "FUNCTIONS_WORKER_RUNTIME": "dotnet"
    },
    "ConnectionStrings": {
        "SqlConnectionString": "--SECRET--"
    },
    "MyCustomStringSetting": "Some Name",
    "MyCustomNumberSetting": 123,
    "MailSettings": {
        "FromAddress": "local-testing123@email.com",
        "ToAddress": "receiver@email.com",
        "MailServer": "smtp.mymailserver.com",
        "PrivateKey": "--SECRET--"
    }
}

然后确保包含您的额外配置文件.

Then make sure that your extra config file is included.

var config = new ConfigurationBuilder()
    .SetBasePath(context.FunctionAppDirectory)
    .AddJsonFile("local.settings.json", optional: true, reloadOnChange: true)
    .AddJsonFile("secret.settings.json", optional: true, reloadOnChange: true)
    .AddEnvironmentVariables()
    .Build();

使用此技术，至少所有设置都在源代码管理中被跟踪.所有秘密值都会被安全删除.

With this technique, at least all settings are being tracked in source control. Any secret values are safely redacted.

这篇关于将函数源代码添加到源代码控制存储库时，如何正确处理local.settings.json文件中的机密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！