PHPFixing
  • Privacy Policy
  • TOS
  • Ask Question
  • Contact Us
  • Home
  • PHP
  • Programming
  • SQL Injection
  • Web3.0

Sunday, August 21, 2022

[FIXED] How to avoid plain text environment variables in a Google Cloud Function and instead pass them secretly?

 August 21, 2022     environment-variables, google-cloud-functions, parameter-passing, security     No comments   

Issue

Up to now I added plain text environment variables in the first step of creating the Cloud Function, and in the second step I called for examples the db connection URL variables including the sensitive credentials with:

def my_cloud_function(request):
    from os import environ
    
    ...
    db_user = environ["DB_USER"]
    db_pass = environ["DB_PASS"]
    db_name = environ["DB_NAME"]
    db_host = environ["DB_HOST"]
    db_port = environ["DB_PORT"]
    ...

(or use os.getenv() instead of os.environ()).

But I do not want to expose these sensitive connection parameters in this variables menu, available to anyone with the rights who clicked on the "Variables" tab. It is awkward if I can click on the variables and see the login credentials of a colleague. But also the other parts of the db URL should just better be kept secret.

How can I use environment variables without exposing them to anyone, at best from an unreadable encrypted file that I can also push to git?

There are a couple of Q&A on Stack Overflow that go into this direction, but I could not find the answer:

  • How can i pass variable to a google cloud function
  • Setting environment variables in Google Cloud Platform using Cloud Functions
  • Using Google Cloud Secret as environment variables in Google Cloud Build
  • and some more.

I guess that this will need secrets, but how would that be done, where would they be stored? Or are there other ways like using the json that is passed as the request parameter?


Solution

The recommended way to manage secrets in Cloud Function is mounting the secrets from Secret Manager. This documentation explains very well how to set it up: https://cloud.google.com/functions/docs/configuring/secrets

In a nutshell:

  1. Create your secrets under Secret Manager;

enter image description here

  1. Edit your Cloud Function -> Advanced Options -> Security;
  2. Map the secrets you would like to be available during runtime;
  3. Grant the role roles/secretmanager.secretAccessor to the service account binded to the Cloud Function;
  4. Once done, you can use the secrets as environment variable (like you are used to and mentioned in your description);

enter image description here



Answered By - CaioT
Answer Checked By - Timothy Miller (PHPFixing Admin)
  • Share This:  
  •  Facebook
  •  Twitter
  •  Stumble
  •  Digg
Newer Post Older Post Home

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...

Subscribe To

Posts
Atom
Posts
Comments
Atom
Comments

Copyright © PHPFixing