如何在Google App Engine和gitlab CI中传递环境秘密变量 [英] How to pass the env secret variable in google app engine and gitlab CI

问题描述

我正在使用gitlab并将其部署到我的nodejs应用程序的google app引擎中.

I am using gitlab and deploying it to google app engine for my nodejs application.

Google Service访问权限已添加为gitlab设置中的变量

Google Service access is added as variable in gitlab settings

SERVICE_ACCOUNT_KEY: 
   {
      "type": "service_account",
      "project_id": "node-us",
      "private_key_id": "",
      "private_key": "",
      "client_email": "gitlab-demo-service-account@node-us.iam.gserviceaccount.com",
      "client_id": "",
      "auth_uri": "",
      "token_uri": "",
      "auth_provider_x509_cert_url": "",
      "client_x509_cert_url": ""
    }

.gitlab-ci.yml

image: node:latest
cache:
  paths:
    - node_modules/
    
before_script:
  - echo "deb http://packages.cloud.google.com/apt cloud-sdk-jessie main" | tee /etc/apt/sources.list.d/google-cloud-sdk.list
  - curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
  - apt-get update
  - apt-get -qq -y install google-cloud-sdk

deploy_production:
  stage: deploy
  environment: Production
  only:
    - master
  script:
    - echo $SERVICE_ACCOUNT_KEY > /tmp/$CI_PIPELINE_ID.json
    - gcloud auth activate-service-account --key-file /tmp/$CI_PIPELINE_ID.json
    - gcloud --quiet --project node-us app deploy app.yaml

after_script:
  - rm /tmp/$CI_PIPELINE_ID.json

我的根文件夹有 app.yaml 文件和 .env 文件

my root folder has app.yaml file and .env file

截至目前，我正在测试流程，该流程运行良好并且已成功部署到google app引擎.(它不包含任何秘密密钥)

As of now I was testing the flow which worked fine and deployed successfully to google app engine. (it does not contain any secret keys)

但是我希望我的env变量(包含秘密密钥)需要在 .gitignore 中忽略，也不要成为 app.yaml 文件的一部分.

However I want the my env variables (containing secret keys) need to be ignored in .gitignore also not to be part of app.yaml file.

如何传递我的环境秘密密钥?

How can I pass my env secret keys?

推荐答案

不要通过！

使用秘密管理器来传递您的秘密.因此，在您的存储库中，使用机密管理器URI来引用具有机密版本的机密.这样，您的代码或app.yaml/.env文件中就没有秘密.

Use Secret Manager to pass your secret. So, in your repository, use the secret manager URI to reference the secret, with the secret version. Like this, no secret in your code or in the app.yaml/.env files.

如果您需要更新机密，请手动进行.有些任务很难自动化，也很昂贵.

If you need to update the secret, do it manually. Some tasks are hard, or expensive, to automate.

注意:您提到的文章已在Secret Manager发布前六个月(即2020年年初)发布

这篇关于如何在Google App Engine和gitlab CI中传递环境秘密变量的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！