如何处理Google App Engine中的机密? [英] How to handle secrets in Google App Engine?
问题描述
我的应用程序需要一堆秘密来运行:数据库凭据,API凭据等.它正在Google App Engine标准Java 11中运行.我需要这些秘密作为环境变量或应用程序参数 >,以便我的框架可以选择它们并相应地建立连接.我的特定框架是Spring Boot,但是我相信Django,Rails和许多其他框架都使用相同的方法.
My application needs a bunch of secrets to run: database credentials, API credentials, etc. It's running in Google App Engine Standard Java 11. I need these secrets as environment variables or as arguments to my application, so that my framework can pick them up and establish the connections accordingly. My particular framework is Spring Boot, but I believe Django, Rails and many others use the same methods.
做到这一点的最佳方法是什么?
What's the best way of doing this?
此问题的答案之一是使用Google Cloud Key Management ,看起来很有希望,但我不知道如何在App Engine中将这些值转换为环境变量.是否有可能?我已阅读设置服务器到服务器生产应用程序的身份验证,但我没有看到有关如何在App Engine中将机密转换为环境变量的任何指示(我想念它吗?).
One of the answers I get to this question is to use Google Cloud Key Management, which looks promising, but I can't figure out how to turn those values into environment variables in App Engine. Is it possible? I've read Setting Up Authentication for Server to Server Production Applications, but I don't see any indication there about how to turn the secrets into environment variables in App Engine (am I missing it?).
我见过的其他选择包括将它们硬编码在app.yaml或永不提交并存在于我的计算机中的文件中,这意味着我是唯一可以部署的文件...我不能甚至可以从另一台机器进行部署.这对我来说是个问题.
The other alternatives I've seen include hard-coding them in app.yaml or another file that is never committed and lives in my machine, which means I'm the only one who can deploy... I can't even deploy from another machine. This is problematic for me.
我看到的另一个潜在解决方案是将问题委托给Google Cloud Build,以便它从CKM中获取值/文件并将其推送到App Engine( 2 ).我没有使用GCB,但我会怀疑,因为它是如此基本.
Another potential solution I've seen is to delegate the problem to Google Cloud Build, so that it fetches a value/file from CKM and pushes it to App Engine (1, 2). I'm not using GCB and I doubt I will, since it's so basic.
我真的希望App Engine像Heroku一样有一个环境变量页面.
I really wish App Engine had a environment variables page like Heroku does.
推荐答案
[更新] (截至2020年2月) GCP的秘密管理员处于测试版,请参见:
[Update] (as of Feb 2020) GCP's Secret Manager is in beta, see:
https://cloud.google.com/secret-manager/docs/overview
有关特定于Java的实现,请参见: https://cloud .google.com/secret-manager/docs/creating-and-accessing-secrets#secretmanager-access-secret-version-java
For Java-specific implementation, see: https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets#secretmanager-access-secret-version-java
您的特定解决方案将取决于您应用程序的设置方式,但是您应该能够访问机密信息并使用值创建环境变量,或者将其传递给您的应用程序.
Your specific solution would depend how your app is set up, but you should be able to access the secret(s) and create environment variables with the values or otherwise pass them to your app.
您可以使用GCP IAM创建服务帐户来管理访问或向现有成员/服务添加类似Secret Manager Secret Accessor的角色(例如,在这种情况下,我将该权限添加到App Engine default service account).
You can use GCP IAM to create a service accounts to manage access or add a role like Secret Manager Secret Accessor to an existing member/service (e.g., in this case, I added that permision to the App Engine default service account).
我使用GAE标准的Node.js进行了尝试,它似乎运行良好;我没有进行任何性能测试,但是应该没问题,特别是如果您主要需要在启动应用程序时或在构建过程中需要这些机密信息.
I tried it out with Node.js on GAE standard, and it seems to work well; I didn't do any performance tests but it should be fine, particularly if you primarily need the secrets on app start or as part of a build process.
对于本地(非GCP)开发/测试,您可以创建具有适当秘密管理员权限的服务帐户,并获取json服务密钥.然后,您将名为GOOGLE_APPLICATION_CREDENTIALS的环境变量设置为文件的路径,例如:
For local (non-GCP) development/testing, you can create a service account with appropriate secret manager permissions and get the json service key. You then set an environment variable named GOOGLE_APPLICATION_CREDENTIALS to the path of the file, e.g.:
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/local_service_key.json
,并且在该Shell会话中运行的应用应获得许可,而无需任何其他身份验证代码. 请参阅: https://cloud.google.com/docs/authentication/getting-started (您可能要从版本控制中排除密钥文件.)
and the app running in that shell session should pick up the permissions without any additional auth code. See: https://cloud.google.com/docs/authentication/getting-started (You would want to exclude the key file from version control.)
这篇关于如何处理Google App Engine中的机密?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
