如何处理Google Cloud Functions中的机密? [英] How do i handle secrets in Google Cloud Functions?
问题描述
这里的惯例是什么? gcloud
似乎没有提供任何工具.我现在正在从本地计算机上部署功能,因此我可以对秘密进行硬编码,但这似乎不合适.另外,CI/CD呢?在这种情况下,我需要将机密作为环境变量传递.这甚至可能是atm吗?
What is the common practice here? There seems to be no tools provided by gcloud
. I'm deploying functions from local machine for now, so I can hardcode secrets, but this seems inappropriate. Also, what about CI/CD? I would need to pass secrets as environment variables in this case. Is this even possible atm?
推荐答案
发表评论以来,我发现了一种相对简单的方法-提供config .json
文件.这是一个基于Slack函数示例的示例:
Since making my comment, I've found a relatively simple way to do this - provide a config .json
file. Here's an example I hacked together based on their Slack function example:
config.json 文件与 index.js 位于同一目录:
config.json file in the same directory as index.js:
{
"foo": "bar"
}
index.js
const config = require('./config.json');
exports.envTest = (req, res) => {
res.status(200).send(config.foo);
};
部署功能并转到URL时,您应该得到响应bar
.
When you deploy the function and go to the URL, you should get the response bar
.
优缺点:
优点:
- 易于在IDE中进行设置和配置 可以将
- 配置文件放入
.gitignore
中,以确保您的秘密不会导致回购 - 文件本身可以存储在安全的位置,并且仅提供给负责部署功能的个人
- Easy to set up and configure right in your IDE
- Config file can be put into
.gitignore
to ensure your secrets don't end up the repo - File itself can be stored in a secure location and only given to individual responsible for deploying the functions
缺点:
- 与适当的秘密管理相比笨拙
- 需要引起注意,以确保文件不会落入错误的人手中
- 可以通过查看函数源在Google Cloud控制台中以纯文本格式读取文件
总体而言,它与真实的机密管理系统相去甚远,但是它足以使我坚持下去,直到该功能最终使其成为Cloud Functions核心.
On the whole, it's a far cry from a real secrets management system, but it's workable enough to hold me over until this feature eventually makes it into the Cloud Functions core.
这篇关于如何处理Google Cloud Functions中的机密?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!