Issue
Up to now I added plain text environment variables in the first step of creating the Cloud Function, and in the second step I called for examples the db connection URL variables including the sensitive credentials with:
def my_cloud_function(request):
from os import environ
...
db_user = environ["DB_USER"]
db_pass = environ["DB_PASS"]
db_name = environ["DB_NAME"]
db_host = environ["DB_HOST"]
db_port = environ["DB_PORT"]
...
(or use os.getenv()
instead of os.environ()
).
But I do not want to expose these sensitive connection parameters in this variables menu, available to anyone with the rights who clicked on the "Variables" tab. It is awkward if I can click on the variables and see the login credentials of a colleague. But also the other parts of the db URL should just better be kept secret.
How can I use environment variables without exposing them to anyone, at best from an unreadable encrypted file that I can also push to git?
There are a couple of Q&A on Stack Overflow that go into this direction, but I could not find the answer:
- How can i pass variable to a google cloud function
- Setting environment variables in Google Cloud Platform using Cloud Functions
- Using Google Cloud Secret as environment variables in Google Cloud Build
- and some more.
I guess that this will need secrets, but how would that be done, where would they be stored? Or are there other ways like using the json that is passed as the request
parameter?
Solution
The recommended way to manage secrets in Cloud Function is mounting the secrets from Secret Manager. This documentation explains very well how to set it up: https://cloud.google.com/functions/docs/configuring/secrets
In a nutshell:
- Create your secrets under Secret Manager;
- Edit your Cloud Function -> Advanced Options -> Security;
- Map the secrets you would like to be available during runtime;
- Grant the role
roles/secretmanager.secretAccessor
to the service account binded to the Cloud Function; - Once done, you can use the secrets as environment variable (like you are used to and mentioned in your description);
Answered By - CaioT Answer Checked By - Timothy Miller (PHPFixing Admin)
0 Comments:
Post a Comment
Note: Only a member of this blog may post a comment.