How to set environment variables using Google Cloud Build or other method in Google App Engine Standard Environment?
Is there anyway to inject environment variables from Cloud Build into the App Engine Standard environment?
I do not want to push my environment variables to GitHub
-
I have another solution, if someone is still interested in this. This should work on all languages, because environment variables are added directly into
app.yamlfileAdd substitution variable in build trigger (as described in this answer).
Add environment variables to
app.yamlin a way they can be easily substituted with build trigger variables. Like this:
env_variables: SECRET_KEY: %SECRET_KEY%- Add a step in
cloudbuild.yamlto substitute all%XXX%variables insideapp.yamlwith their values from build trigger.
- name: 'gcr.io/cloud-builders/gcloud' entrypoint: bash args: - '-c' - | sed -i 's/%SECRET_KEY%/'${_SECRET_KEY}'/g' app.yaml gcloud app deploy app.yaml讨论(0) -
Based on your preferences that you have highlighted (Cloud Build, KMS). The Google Secrets link that you had mentioned involves storing sensitive data at build or runtime using Cloud KMS: KeyRing and CryptoKey. However, Google offers other Secret Management Solutions using Cloud KMS as well.
Here are a couple of other options you can use while storing Secrets:
Option 1 : You can store Secrets in code that are encrypted with a key from Cloud KMS. (This is typically used by encrypting your secret at the application layer.)
Benefit: Provides a layer of security from insider threats because it restricts access to the code with a corresponding key.
[You can find some additional information about these options on the Google Documentation here.]
Option 2: You can Store Secrets inside a Google Storage Bucket where your data is at rest encryption. (Similar to option 1 this has the ability to limit access to secrets to a small group of Developers.)
Benefit: Storing your secrets in a separate location ensures that if a breach of your code repository has occurred, your secrets may still be protected.)
[Note: Google recommends that you use two projects for proper separation of duties. One project will use Cloud KMS to manage the keys and the other project will use Cloud Storage to store the secrets.]
If the options listed above still do not meet your needs, I have found a StackOverflow question that shares a similar objective as your project. (i.e: Storing environment variables in GAE without Datastore)
The solution provided on this link illustrates the use of storing keys in a client_secrets.json file that gets excluded when uploading to git by listing it in .gitignore. You can find some Google examples (Python) of usage here.
讨论(0) -
Here is a tutorial on how to securely store env vars in your cloud build (triggers) settings and import them into your app.
Basically there are three steps:
Add your env vars to the 'variables' section in one of your build trigger settings
Screenshot of where to add variables in build triggers
By convention variables set in the build trigger must begin with an underscore (_)
Configure
cloudbuild.yaml(on the second step in the code example) to read in variables from your build trigger, set them as env vars, and write all env vars in a local .env fileAdd
couldbuild.yaml(below) to your project root directory
steps: - name: node:10.15.1 entrypoint: npm args: ["install"] - name: node:10.15.1 entrypoint: npm args: ["run", "create-env"] env: - 'MY_SECRET_KEY=${_MY_SECRET_KEY}' - name: "gcr.io/cloud-builders/gcloud" args: ["app", "deploy"] timeout: "1600s"Add
create-envscript topackage.json"scripts": { "create-env": "printenv > .env" },Read env vars from .env to your app (config.js)
Install dotenv package
npm i dotenv -SAdd a
config.jsto your app
// Import all env vars from .env file require('dotenv').config() export const MY_SECRET_KEY = process.env.MY_SECRET_KEY console.log(MY_SECRET_KEY) // => HelloDone! Now you may deploy your app by triggering the cloud build and your app will have access to the env vars.
讨论(0)
加载中...
- 热议问题