如何在Google App Engine和gitlab CI中传递环境秘密变量 [英] How to pass the env secret variable in google app engine and gitlab CI

本文介绍了如何在Google App Engine和gitlab CI中传递环境秘密变量的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在使用gitlab并将其部署到我的nodejs应用程序的google app引擎中.

I am using gitlab and deploying it to google app engine for my nodejs application.

Google Service访问权限已添加为gitlab设置中的变量

Google Service access is added as variable in gitlab settings

SERVICE_ACCOUNT_KEY: 
   {
      "type": "service_account",
      "project_id": "node-us",
      "private_key_id": "",
      "private_key": "",
      "client_email": "gitlab-demo-service-account@node-us.iam.gserviceaccount.com",
      "client_id": "",
      "auth_uri": "",
      "token_uri": "",
      "auth_provider_x509_cert_url": "",
      "client_x509_cert_url": ""
    }

.gitlab-ci.yml

image: node:latest
cache:
  paths:
    - node_modules/
    
before_script:
  - echo "deb http://packages.cloud.google.com/apt cloud-sdk-jessie main" | tee /etc/apt/sources.list.d/google-cloud-sdk.list
  - curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
  - apt-get update
  - apt-get -qq -y install google-cloud-sdk

deploy_production:
  stage: deploy
  environment: Production
  only:
    - master
  script:
    - echo $SERVICE_ACCOUNT_KEY > /tmp/$CI_PIPELINE_ID.json
    - gcloud auth activate-service-account --key-file /tmp/$CI_PIPELINE_ID.json
    - gcloud --quiet --project node-us app deploy app.yaml

after_script:
  - rm /tmp/$CI_PIPELINE_ID.json

我的根文件夹有 app.yaml 文件和 .env 文件

my root folder has app.yaml file and .env file

截至目前,我正在测试流程,该流程运行良好并且已成功部署到google app引擎.(它不包含任何秘密密钥)

As of now I was testing the flow which worked fine and deployed successfully to google app engine. (it does not contain any secret keys)

但是我希望我的env变量(包含秘密密钥)需要在 .gitignore 中忽略,也不要成为 app.yaml 文件的一部分.

However I want the my env variables (containing secret keys) need to be ignored in .gitignore also not to be part of app.yaml file.

如何传递我的环境秘密密钥?

How can I pass my env secret keys?

推荐答案

不要通过!

使用秘密管理器来传递您的秘密.因此,在您的存储库中,使用机密管理器URI来引用具有机密版本的机密.这样,您的代码或app.yaml/.env文件中就没有秘密.

Use Secret Manager to pass your secret. So, in your repository, use the secret manager URI to reference the secret, with the secret version. Like this, no secret in your code or in the app.yaml/.env files.

如果您需要更新机密,请手动进行.有些任务很难自动化,也很昂贵.

If you need to update the secret, do it manually. Some tasks are hard, or expensive, to automate.

注意:您提到的文章已在Secret Manager发布前六个月(即2020年年初)发布

这篇关于如何在Google App Engine和gitlab CI中传递环境秘密变量的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆