问题
Is there an "official" solution for passing sensitive information, such as API keys, to Google Cloud Functions? In particular it would be nice to avoid passing this information as arguments to the function since it will be the same for every invocation. AWS Lambda has a built-in solution using encrypted environment variables for this. Is there some similar approach for Google Cloud Functions?
I could imagine using a cloud storage bucket or cloud datastore for this, but that feels very manual.
回答1:
If you're using Cloud Functions with Firebase, you're looking for environment configuration.
With that, you deploy configuration data from the Firebase CLI:
firebase functions:config:set someservice.key="THE API KEY" someservice.id="THE CLIENT ID"
And then read it in your functions with:
functions.config().someservice.id
回答2:
You can use Google Secret Manager. https://cloud.google.com/secret-manager/docs
See this article for an example: https://dev.to/googlecloud/using-secrets-in-google-cloud-functions-5aem
回答3:
As for now, there's no way to do this.
- https://issuetracker.google.com/issues/35907643
回答4:
Few options that you can go about this:
- GCP Runtime Configuration. Set up a schema that can be only accessed by your service account and put your secret there. You do that prior to your deployment. Your app should be able to use Runtime Configuration API to access these. You can use this nifty library: https://www.npmjs.com/package/@google-cloud/rcloadenv
- Generate a JS on the fly including that information as part of your cloud function build/deploy and include that file as part of you cloud function.
- Use Google KMS to store the keys and access it with KMS's API
来源:https://stackoverflow.com/questions/42959284/passing-sensitive-information-to-cloud-functions