问题
I am using gitlab and deploying it to google app engine for my nodejs application.
Google Service access is added as variable in gitlab settings
SERVICE_ACCOUNT_KEY:
{
"type": "service_account",
"project_id": "node-us",
"private_key_id": "",
"private_key": "",
"client_email": "gitlab-demo-service-account@node-us.iam.gserviceaccount.com",
"client_id": "",
"auth_uri": "",
"token_uri": "",
"auth_provider_x509_cert_url": "",
"client_x509_cert_url": ""
}
.gitlab-ci.yml
image: node:latest
cache:
paths:
- node_modules/
before_script:
- echo "deb http://packages.cloud.google.com/apt cloud-sdk-jessie main" | tee /etc/apt/sources.list.d/google-cloud-sdk.list
- curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
- apt-get update
- apt-get -qq -y install google-cloud-sdk
deploy_production:
stage: deploy
environment: Production
only:
- master
script:
- echo $SERVICE_ACCOUNT_KEY > /tmp/$CI_PIPELINE_ID.json
- gcloud auth activate-service-account --key-file /tmp/$CI_PIPELINE_ID.json
- gcloud --quiet --project node-us app deploy app.yaml
after_script:
- rm /tmp/$CI_PIPELINE_ID.json
my root folder has app.yaml file and .env file
As of now I was testing the flow which worked fine and deployed successfully to google app engine. (it does not contain any secret keys)
However I want the my env variables (containing secret keys) need to be ignored in .gitignore also not to be part of app.yaml file.
How can I pass my env secret keys?
回答1:
Don't pass it!
Use Secret Manager to pass your secret. So, in your repository, use the secret manager URI to reference the secret, with the secret version. Like this, no secret in your code or in the app.yaml/.env files.
If you need to update the secret, do it manually. Some tasks are hard, or expensive, to automate.
Note: The article that you mention has been released 6 months before Secret Manager release (early this year 2020)
来源:https://stackoverflow.com/questions/65265583/how-to-pass-the-env-secret-variable-in-google-app-engine-and-gitlab-ci