将函数源代码添加到源代码控制存储库时如何正确处理 local.settings.json 文件中的机密 [英] How to properly handle secrets in a local.settings.json file when adding the function source code to a source control repository
问题描述
我有一个 Azure 函数,它的 local.settings.json
文件中有一些秘密.
I have an Azure function with a few secrets in its local.settings.json
file.
当我想在 GitHub 中分享我的函数的源代码时,有哪些最佳做法?
What are the best practices when I want to share the source code of my function in GitHub?
到目前为止,我可以想到以下选项,但每个选项都有一些问题或挑战:
So far I can think of the following options, but each option has some issues or challenges:
1- 请记住在我提交更改时更改 local.settings.json
中的秘密.提交完成后,撤消更改,以便我可以运行该函数并对其进行调试.此选项非常容易出错且乏味.
1- Remember to change the secrets in local.settings.json
anytime I commit my changes. Once the commit is done, undo changes, so I can run the function and debug it. This option is very error-prone and tedious.
2- 将 local.settings.json
添加到 .gitignore 文件中.使用这种方法,从 GitHub 获取代码的人需要记住恢复 local.settings.json
2- Add local.settings.json
to the .gitignore file. With this approach, people who get the code from GitHub need to remember to restore the local.settings.json
3- 将机密存储在 Azure Key Vault 中.但这对于我正在创建的这么小的功能来说太过分了.
3- Store the secrets in Azure Key Vault. But this is too much for such little function that I am creating.
我想在这里询问如何处理源代码控制存储库中 local.settings.json
中的秘密的最佳实践是什么.
I wanted to ask here what are the best practices how to handle the secrets in local.settings.json
in a source control repository.
推荐答案
As 描述在这里,你可以为你的秘密添加另一个配置文件(secret.settings.json
).
As described here, you can add another config file (secret.settings.json
) for your secrets.
{
"ConnectionStrings": {
"SqlConnectionString": "server=myddatabaseserver;user=tom;password=123;"
},
"MyCustomStringSetting": "Override Some Name",
"MailSettings": {
"PrivateKey": "xYasdf5678asjifSDFGhasn1234sDGFHg"
}
}
将您的新设置文件添加到 .gitignore
.然后从 .gitignore
中删除 local.settings.json
并编辑任何秘密值.
Add your new settings file to the .gitignore
. Then remove local.settings.json
from the .gitignore
and redact any secret values.
{
"IsEncrypted": false,
"Values": {
"AzureWebJobsStorage": "UseDevelopmentStorage=true",
"FUNCTIONS_WORKER_RUNTIME": "dotnet"
},
"ConnectionStrings": {
"SqlConnectionString": "--SECRET--"
},
"MyCustomStringSetting": "Some Name",
"MyCustomNumberSetting": 123,
"MailSettings": {
"FromAddress": "local-testing123@email.com",
"ToAddress": "receiver@email.com",
"MailServer": "smtp.mymailserver.com",
"PrivateKey": "--SECRET--"
}
}
然后确保包含您的额外配置文件.
Then make sure that your extra config file is included.
var config = new ConfigurationBuilder()
.SetBasePath(context.FunctionAppDirectory)
.AddJsonFile("local.settings.json", optional: true, reloadOnChange: true)
.AddJsonFile("secret.settings.json", optional: true, reloadOnChange: true)
.AddEnvironmentVariables()
.Build();
使用这种技术,至少在源代码管理中跟踪所有设置.任何秘密值都会被安全地编辑.
With this technique, at least all settings are being tracked in source control. Any secret values are safely redacted.
这篇关于将函数源代码添加到源代码控制存储库时如何正确处理 local.settings.json 文件中的机密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!