如何处理Google Cloud Functions中的机密? [英] How do i handle secrets in Google Cloud Functions?

问题描述

这里的惯例是什么? gcloud似乎没有提供任何工具.我现在正在从本地计算机上部署功能，因此我可以对秘密进行硬编码，但这似乎不合适.另外，CI/CD呢?在这种情况下，我需要将机密作为环境变量传递.这甚至可能是atm吗?

What is the common practice here? There seems to be no tools provided by gcloud. I'm deploying functions from local machine for now, so I can hardcode secrets, but this seems inappropriate. Also, what about CI/CD? I would need to pass secrets as environment variables in this case. Is this even possible atm?

推荐答案

发表评论以来，我发现了一种相对简单的方法-提供config .json文件.这是一个基于Slack函数示例的示例:

Since making my comment, I've found a relatively simple way to do this - provide a config .json file. Here's an example I hacked together based on their Slack function example:

config.json 文件与 index.js 位于同一目录:

config.json file in the same directory as index.js:

{
  "foo": "bar"
}

index.js

const config = require('./config.json');

exports.envTest = (req, res) => {
  res.status(200).send(config.foo);
};

部署功能并转到URL时，您应该得到响应bar.

When you deploy the function and go to the URL, you should get the response bar.

优缺点:

优点:

1. 易于在IDE中进行设置和配置
可以将
2. 配置文件放入.gitignore中，以确保您的秘密不会导致回购
3. 文件本身可以存储在安全的位置，并且仅提供给负责部署功能的个人

1. Easy to set up and configure right in your IDE
2. Config file can be put into .gitignore to ensure your secrets don't end up the repo
3. File itself can be stored in a secure location and only given to individual responsible for deploying the functions

缺点:

1. 与适当的秘密管理相比笨拙
2. 需要引起注意，以确保文件不会落入错误的人手中
3. 可以通过查看函数源在Google Cloud控制台中以纯文本格式读取文件

总体而言，它与真实的机密管理系统相去甚远，但是它足以使我坚持下去，直到该功能最终使其成为Cloud Functions核心.

On the whole, it's a far cry from a real secrets management system, but it's workable enough to hold me over until this feature eventually makes it into the Cloud Functions core.

这篇关于如何处理Google Cloud Functions中的机密?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！