如何处理 Google App Engine 中的机密? [英] How to handle secrets in Google App Engine?

问题描述

我的应用程序需要一堆机密才能运行:数据库凭据、API 凭据等.它在 Google App Engine Standard Java 11 中运行.我需要这些机密作为环境变量或作为我的应用程序的参数，以便我的框架可以接收它们并相应地建立连接.我的特定框架是 Spring Boot，但我相信 Django、Rails 和许多其他框架都使用相同的方法.

My application needs a bunch of secrets to run: database credentials, API credentials, etc. It's running in Google App Engine Standard Java 11. I need these secrets as environment variables or as arguments to my application, so that my framework can pick them up and establish the connections accordingly. My particular framework is Spring Boot, but I believe Django, Rails and many others use the same methods.

这样做的最佳方法是什么?

What's the best way of doing this?

我对这个问题的答案之一是使用 GoogleCloud Key Management，看起来很有希望，但我不知道如何将这些值转换为 App Engine 中的环境变量.是否可以?我已阅读为服务器到服务器生产应用程序设置身份验证，但我没有在 App Engine 中查看有关如何将机密转换为环境变量的任何指示(我错过了吗?).

One of the answers I get to this question is to use Google Cloud Key Management, which looks promising, but I can't figure out how to turn those values into environment variables in App Engine. Is it possible? I've read Setting Up Authentication for Server to Server Production Applications, but I don't see any indication there about how to turn the secrets into environment variables in App Engine (am I missing it?).

我见过的其他替代方案包括在 app.yaml 或另一个从未提交并存在于我的机器中的文件中对它们进行硬编码，这意味着我是唯一可以部署的人...我什至无法从另一台机器部署.这对我来说是个问题.

The other alternatives I've seen include hard-coding them in app.yaml or another file that is never committed and lives in my machine, which means I'm the only one who can deploy... I can't even deploy from another machine. This is problematic for me.

我见过的另一个潜在解决方案是将问题委托给 Google Cloud Build，以便它从 CKM 获取值/文件并将其推送到 App Engine (1，2).我没有使用 GCB，我怀疑我会，因为它太基础了.

Another potential solution I've seen is to delegate the problem to Google Cloud Build, so that it fetches a value/file from CKM and pushes it to App Engine (1, 2). I'm not using GCB and I doubt I will, since it's so basic.

我真的希望 App Engine 有一个像 Heroku 那样的环境变量页面.

I really wish App Engine had a environment variables page like Heroku does.

推荐答案

[更新](截至 2020 年 2 月)GCP 的 Secret Manager 处于测试阶段，请参阅:

[Update] (as of Feb 2020) GCP's Secret Manager is in beta, see:

https://cloud.google.com/secret-manager/docs/overview

对于特定于 Java 的实现，请参阅:https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets#secretmanager-access-secret-version-java

For Java-specific implementation, see: https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets#secretmanager-access-secret-version-java

您的具体解决方案将取决于您的应用程序的设置方式，但您应该能够访问密钥并使用这些值创建环境变量或以其他方式将它们传递给您的应用程序.

Your specific solution would depend how your app is set up, but you should be able to access the secret(s) and create environment variables with the values or otherwise pass them to your app.

您可以使用 GCP IAM 创建服务帐户来管理访问权限或向现有成员/服务添加诸如 Secret Manager Secret Accessor 之类的角色(例如，在本例中，我将该权限添加到App Engine 默认服务帐户).

You can use GCP IAM to create a service accounts to manage access or add a role like Secret Manager Secret Accessor to an existing member/service (e.g., in this case, I added that permision to the App Engine default service account).

我在 GAE 标准上使用 Node.js 进行了尝试，它似乎运行良好；我没有进行任何性能测试，但应该没问题，特别是如果您主要需要在应用启动时或作为构建过程的一部分的秘密.

I tried it out with Node.js on GAE standard, and it seems to work well; I didn't do any performance tests but it should be fine, particularly if you primarily need the secrets on app start or as part of a build process.

对于本地(非 GCP)开发/测试，您可以创建一个具有适当 secret manager 权限的服务帐户并获取 json 服务密钥.然后将名为 GOOGLE_APPLICATION_CREDENTIALS 的环境变量设置为文件路径，例如:

For local (non-GCP) development/testing, you can create a service account with appropriate secret manager permissions and get the json service key. You then set an environment variable named GOOGLE_APPLICATION_CREDENTIALS to the path of the file, e.g.:

export GOOGLE_APPLICATION_CREDENTIALS=/path/to/local_service_key.json

并且在该 shell 会话中运行的应用程序应该无需任何其他身份验证代码即可获取权限.请参阅:https://cloud.google.com/docs/authentication/getting-started(您可能希望从版本控制中排除密钥文件.)

and the app running in that shell session should pick up the permissions without any additional auth code. See: https://cloud.google.com/docs/authentication/getting-started (You would want to exclude the key file from version control.)

这篇关于如何处理 Google App Engine 中的机密?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！