使用app.yaml在GAE中安全地存储环境变量 [英] Securely storing environment variables in GAE with app.yaml
问题描述
我需要在 app.yaml
中存储API密钥和其他敏感信息,作为在GAE上部署的环境变量。这个问题是,如果我将 app.yaml
推送到GitHub,则此信息将变为公开(不好)。我不想将信息存储在数据存储中,因为它不适合项目。相反,我想从每个应用程序部署的 .gitignore
中列出的文件中的值交换出来。
I need to store API keys and other sensitive information in app.yaml
as environment variables for deployment on GAE. The issue with this is that if I push app.yaml
to GitHub, this information becomes public (not good). I don't want to store the info in a datastore as it does not suit the project. Rather, I'd like to swap out the values from a file that is listed in .gitignore
on each deployment of the app.
这是我的app.yaml文件:
Here is my app.yaml file:
application: myapp
version: 3
runtime: python27
api_version: 1
threadsafe: true
libraries:
- name: webapp2
version: latest
- name: jinja2
version: latest
handlers:
- url: /static
static_dir: static
- url: /.*
script: main.application
login: required
secure: always
# auth_fail_action: unauthorized
env_variables:
CLIENT_ID: ${CLIENT_ID}
CLIENT_SECRET: ${CLIENT_SECRET}
ORG: ${ORG}
ACCESS_TOKEN: ${ACCESS_TOKEN}
SESSION_SECRET: ${SESSION_SECRET}
任何想法?
推荐答案
它将密钥存储在client_secrets.json文件中,并将其从不存在通过在.gitignore文件中列出来上传到git。如果您在不同环境中使用不同的密钥,可以使用app_identity api来确定应用ID是什么,并适当地加载。
Best way to do it, is store the keys in a client_secrets.json file, and exclude that from being uploaded to git by listing it in your .gitignore file. If you have different keys for different environments, you can use app_identity api to determine what the app id is, and load appropriately.
这里有一个相当全面的例子 - https://developers.google.com/api-client-library/python / guide / aaa_client_secrets 。
There is a fairly comprehensive example here -> https://developers.google.com/api-client-library/python/guide/aaa_client_secrets.
以下是一些示例代码:
# declare your app ids as globals ...
APPID_LIVE = 'awesomeapp'
APPID_DEV = 'awesomeapp-dev'
APPID_PILOT = 'awesomeapp-pilot'
# create a dictionary mapping the app_ids to the filepaths ...
client_secrets_map = {APPID_LIVE:'client_secrets_live.json',
APPID_DEV:'client_secrets_dev.json',
APPID_PILOT:'client_secrets_pilot.json'}
# get the filename based on the current app_id ...
client_secrets_filename = client_secrets_map.get(
app_identity.get_application_id(),
APPID_DEV # fall back to dev
)
# use the filename to construct the flow ...
flow = flow_from_clientsecrets(filename=client_secrets_filename,
scope=scope,
redirect_uri=redirect_uri)
# or, you could load up the json file manually if you need more control ...
f = open(client_secrets_filename, 'r')
client_secrets = json.loads(f.read())
f.close()
这篇关于使用app.yaml在GAE中安全地存储环境变量的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!