问题
I use Google Source Repository to store my Google Cloud Functions. (Git repo hosted by Google, basically)
One of my function needs to access a private Google Sheet file, I therefore created a Service Account. (With way too many rights since it's so hard to understand what exact rights we should give to a service account, and so hard to update later on, but I digress)
Now, it's clearly not recommended to store the Service Account JSON file in the git repository itself for obvious reasons. Here is what it looks like (stripped from values)
{
"type": "service_account",
"project_id": "",
"private_key_id": "",
"private_key": "",
"client_email": "",
"client_id": "",
"auth_uri": "",
"token_uri": "",
"auth_provider_x509_cert_url": "",
"client_x509_cert_url": ""
}
I have been looking at environment variables to configure for a Functions or something alike but didn't find anything. Tracking the key (and therefore potentially duplicating that file on several repositories) really doesn't sound such a good idea. But I haven't found any "proper" way to do it yet. And due to the way Google Functions work, I can't think of anything else but env variables.
回答1:
My solution when using cloud function with a service account is:
- Encrypt your service account credential json file using Cloud KMS/vault and upload it to Cloud Storage.
Fetch service account credential json file from Cloud Storage and decrypt it using a Cloud KMS service account which has encrypt/decrypt permission.
Parse service account credential json file at runtime and get
private_key
,client_email
andprojectId
.Pass these three secret variables to the client library
We store config variables as environment variables for cloud function, they are plain text, but it's ok. Because they are not secret things.
We must not store secret things like plain text, e.g cloud function environment variables.
回答2:
You can upload the service account file along with your functions and use it from within your code. It will remain secure there. Most developers will use a .gitignore or equivalent mechanism to keep that file from being added to source control. There is an example of loading service account credentials from Firebase samples. (If you're not using the Firebase SDK, you'll have to be mindful to convert the function definition to the Cloud style.
You could also use an env var, but you'll have to take special care in quoting and escaping the values to make sure they get to your function correctly. It's kind of a hassle, but doable.
回答3:
Here you could find how to provide credentials to your application, using the environment variable GOOGLE_APPLICATION_CREDENTIALS
.
回答4:
This is how I solved this problem. First create a logic in a file keys.js to determine whether you are in development or production (and create corresponding ./dev.js and ./prod.js files, where you should include ./dev.js in .ignore file to make sure it's not uploaded to your github remote):
if (process.env.NODE_ENV === "production") {
module.exports = require("./prod");
} else {
module.exports = require("./dev");
}
Second, you require your keys.js file where the logic above resides and create a credential object based on the data received from keys.js:
const credentials = {
type: keys.googleType,
project_id: keys.googleProjectId,
private_key_id: keys.googlePrivateKeyId,
private_key: keys.googlePrivateKey,
client_email: keys.googleClientEmail,
client_id: keys.googleClientId,
auth_uri: keys.googleAuthUri,
token_uri: keys.googleTokenUri,
auth_provider_x509_cert_url: keys.googleAuthProviderX509CertUrl,
client_x509_cert_url: keys.googleClientX509CertUrl
};
Now, for every google cloud service you can use the following example patterns:
const storage = new Storage({
project_id: credentials.project_id,
credentials
});
const client = new textToSpeech.TextToSpeechClient({
project_id: credentials.project_id,
credentials
});
...
etc.
来源:https://stackoverflow.com/questions/48602546/google-cloud-functions-how-to-securely-store-service-account-private-key-when