发表新帖
发表新帖

How do i handle secrets in Google Cloud Functions?

前端 未结
关注
3 2039
没有蜡笔的小新
没有蜡笔的小新 2021-02-13 23:44

What is the common practice here? There seems to be no tools provided by gcloud. I\'m deploying functions from local machine for now, so I can hardcode secrets, but

相关标签:
3条回答
  • 情书的邮戳
    2021-02-13 23:51

    You can use the Secret Manager for this. Follow the instructions on the link to add a secret.

    The only GOTCHA I found is that by default the service account doesn't have read-access to the secrets, you've got to manually grant permissions, like so:

    0 讨论(0)
  • 悲哀的现实
    2021-02-14 00:01

    Since making my comment, I've found a relatively simple way to do this - provide a config .json file. Here's an example I hacked together based on their Slack function example:

    config.json file in the same directory as index.js:

    {
  "foo": "bar"
}

    index.js

    const config = require('./config.json');

exports.envTest = (req, res) => {
  res.status(200).send(config.foo);
};

    When you deploy the function and go to the URL, you should get the response bar.

    Pros and cons:

    Pros:

    1. Easy to set up and configure right in your IDE
    2. Config file can be put into .gitignore to ensure your secrets don't end up the repo
    3. File itself can be stored in a secure location and only given to individual responsible for deploying the functions

    Cons:

    1. Clunky in comparison to proper secret management
    2. Requires attention to ensure the file doesn't fall into the wrong hands
    3. File can be read in plaintext in the Google Cloud console by looking at the function source

    On the whole, it's a far cry from a real secrets management system, but it's workable enough to hold me over until this feature eventually makes it into the Cloud Functions core.

    0 讨论(0)
  • 名媛妹妹
    2021-02-14 00:01

    You should use Cloud Key Management Service(KMS).
    Don't push pure secrets to Cloud Functions with files or environment variables.

    One solution is followings:

    1. Create key on Cloud KMS
    2. Encrypt secret file with that key
    3. Upload encrypted secret file to Google Cloud Storage(GCS) (Accessible by specified user)
    4. In Cloud Function Execution, get uploaded secret file from GCS, decrypt, and use it

    [Ref] Secret management using the Google Cloud Platform

    0 讨论(0)
 看不清?
提交回复
热议问题