Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do i handle secrets in Google Cloud Functions?

Tags:

google-cloud-platform

google-cloud-functions

What is the common practice here? There seems to be no tools provided by gcloud. I'm deploying functions from local machine for now, so I can hardcode secrets, but this seems inappropriate. Also, what about CI/CD? I would need to pass secrets as environment variables in this case. Is this even possible atm?

like image 838
stkvtflw Avatar asked Dec 06 '17 05:12

stkvtflw

People also ask

How do I manage cloud secrets?

Go to the Secret Manager page in the Google Cloud console. Select the secret and in the right side permissions tab, click Add Principal. In the New principals textbox, enter the service account email for your Cloud Run service. Grant it the role Secret Manager Secret Accessor.

How do I access the secret in GCP?

admin ) on the project, folder, or organization. Go to the Secret Manager page in the Google Cloud console. On the Secret Manager page, click Create Secret. On the Create secret page, under Name, enter a name for the secret (e.g. my-secret ).

What is secret Manager in Google Cloud?

Secret Manager is a secure and convenient storage system for API keys, passwords, certificates, and other sensitive data. Secret Manager provides a central place and single source of truth to manage, access, and audit secrets across Google Cloud.

3 Answers

You can use the Secret Manager for this. Follow the instructions on the link to add a secret.

The only GOTCHA I found is that by default the service account doesn't have read-access to the secrets, you've got to manually grant permissions, like so:

Add secret permissions

like image 73
Matthew Avatar answered Oct 17 '22 05:10

Matthew

Since making my comment, I've found a relatively simple way to do this - provide a config .json file. Here's an example I hacked together based on their Slack function example:

config.json file in the same directory as index.js:

{
  "foo": "bar"
}

index.js

const config = require('./config.json');

exports.envTest = (req, res) => {
  res.status(200).send(config.foo);
};

When you deploy the function and go to the URL, you should get the response bar.

Pros and cons:

Pros:

  1. Easy to set up and configure right in your IDE
  2. Config file can be put into .gitignore to ensure your secrets don't end up the repo
  3. File itself can be stored in a secure location and only given to individual responsible for deploying the functions

Cons:

  1. Clunky in comparison to proper secret management
  2. Requires attention to ensure the file doesn't fall into the wrong hands
  3. File can be read in plaintext in the Google Cloud console by looking at the function source

On the whole, it's a far cry from a real secrets management system, but it's workable enough to hold me over until this feature eventually makes it into the Cloud Functions core.

like image 4
Artem Zakharov Avatar answered Oct 17 '22 07:10

Artem Zakharov

You should use Cloud Key Management Service(KMS).
Don't push pure secrets to Cloud Functions with files or environment variables.

One solution is followings:

  1. Create key on Cloud KMS
  2. Encrypt secret file with that key
  3. Upload encrypted secret file to Google Cloud Storage(GCS) (Accessible by specified user)
  4. In Cloud Function Execution, get uploaded secret file from GCS, decrypt, and use it

[Ref] Secret management using the Google Cloud Platform

like image 3
R.Shindo Avatar answered Oct 17 '22 05:10

R.Shindo
Sign in to Comment

Related questions

How can an application store secrets in Google Cloud Datastore securely?
Restrict access to Google Cloud Functions to a given network?
Permanently binding static IP to preemptible google cloud VM
Google Cloud Functions Environment Variables
"We can not access the URL currently."
Google Cloud Functions Public URL
Apply SSL into Google Compute Engine Instance
Edit Google Cloud Organization Name
Is there an Autoincrement in BigQuery?
How to cache multi-stage docker build in google cloud builder
Using Docker compose within Google App Engine
Can I use Google Cloud Pub/Sub across different Google Cloud projects?
How to redirect HTTP to HTTPS using GCP load balancer
OAuth consent screen - ability to remove application logo: old solution is no longer working
Beta Firebase Firestore won't work with projects using app engine
Copy files between two Google Cloud instances
Does google allow businesses to use "Did you Mean" feature as an api?? I would like to use it but I am not getting anything
How does stackdriver logging assert the severity of an entry?
Do Google Cloud Platform HTTP Functions Support Route Parameters?
How to convert .ckpt to .pb?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!