Google应用引擎:隐藏Rails密钥的最佳做法? [英] Google app engine: Best practice for hiding Rails secret keys?
问题描述
很明显,我需要隐藏我的密钥和数据库密码。
>在Heroku中,我可以使用Heroku GUI非常容易且很好地将它们设置为环境变量,因此它不会出现在任何源代码或数据库中。
GAE怎么样?
我无法在app.yaml中设置它们,因为:
- .gitignore不是一个选项:即使我隐藏了app.yaml文件或由.gitignore替代json文件,我必须将其保存在本地计算机中。这意味着只有我可以部署,而且我必须自己做备份。这太可怕了。
- 有人说我可以在数据库中存储秘密值。但我想隐藏数据库密码。 >解决方案
存储此信息的最安全的方法是使用项目元数据。在Flexible / ManagedVM环境中,您可以通过简单的http请求。
来自google博客文章:
使用Compute Engine,Container Engine和托管虚拟机,您可以使用一个魔术URL来获取元数据。
ManagedVMs是现在称为AppEngine Flexible Environment的旧名称。既然你说你在App Engine上使用Ruby,你必须使用Flexible / ManagedVMs。因此,您应该可以使用这些'神奇的网址'。
因此,获取名为 mysecret 的应用程序秘密Ruby可能会这样做:
Net :: HTTP.get(
URI.parse('http:// metadata .google.internal / computeMetadata / v1 / project / attributes / mysecret'))
(For @joshlf )以下是如何在Python中的AppEngine标准环境中访问 project 元数据:
#请注意,代码将不会在dev_appserver,
#上工作,您将需要切换到其他机制
#以在该环境中进行配置
#具体来说,project_id将解析为某物
#compute engine API将视为无效
from google.appengine.api从googleapiclient导入发现导入app_identity
从oauth2client.client导入发现
导入GoogleCredentials
compute = discovery。 (
'compute','v1',credentials = GoogleCredentials.g et_application_default())
get get_project_metadata(metadata_key):
project_id = app_identity.get_application_id()
project = compute.projects()。get(project = project_id).execute( )
在项目['commonInstanceMetadata'] ['items']中输入:
如果输入['key'] == metadata_key:
返回输入['value']
返回None
get_project_metadata('my_key')
I am deploying my Rails app to GAE, whose codes are stored in github.
Obviously, I need to hide my secret key and database password.
In Heroku, I can set them in environment variables very easily and nicely using Heroku GUI, so it won't appear in any source code or database.
What about GAE? I cannot set them in app.yaml because:
- .gitignore is not an option: Even I hide app.yaml file or alternative json file by .gitignore, I have to save it in my local computer. It means that Only I can deploy, and I have to do backup by myself. This is terrible.
- Someone says that I can store secret values in database. But I want to hide database password too.
Any idea?
The most secure way to store this info is using project metadata. On a Flexible/ManagedVM environment you can access the metadata via a simple http request.
From the google blog post:
With Compute Engine, Container Engine, and Managed VMs, there is a magic URL you can CURL to get metadata.
ManagedVMs are the old name for what is now called 'AppEngine Flexible Environment'. Since you say you are using Ruby on App Engine you must be using Flexible/ManagedVMs. Therefore you should be able to use these 'magic URLs'.
So to get an application secret called mysecret in Ruby you might do:
Net::HTTP.get(
URI.parse('http://metadata.google.internal/computeMetadata/v1/project/attributes/mysecret'))
(For @joshlf) Here's how to access project metadata on AppEngine Standard Environment in Python:
# Note that the code will not work on dev_appserver,
# you will need to switch to some other mechanism
# for configuration in that environment
# Specifically the project_id will resolve to something
# compute engine API will treat as invalid
from google.appengine.api import app_identity
from googleapiclient import discovery
from oauth2client.client import GoogleCredentials
compute = discovery.build(
'compute', 'v1', credentials=GoogleCredentials.get_application_default())
def get_project_metadata(metadata_key):
project_id = app_identity.get_application_id()
project = compute.projects().get(project=project_id).execute()
for entry in project['commonInstanceMetadata']['items']:
if entry['key'] == metadata_key:
return entry['value']
return None
get_project_metadata('my_key')
这篇关于Google应用引擎:隐藏Rails密钥的最佳做法?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
