英文:
best practices for accessing environment variables in production repo
问题
以下是翻译好的部分:
在生产环境中访问环境变量的最佳实践是什么,当通常被认为是不良实践将.env文件推送到生产存储库时?
我目前正在开发一个项目,在项目中我需要访问环境变量(如API密钥和数据库凭据),但我不确定如何在不将.env文件包含在生产存储库中的情况下完成这个任务。
如果我将它们推送,那么如果有人访问存储库,那将使我暴露于攻击。但如果我不这样做,那么编译生成的代码将无法访问这些必要的凭据。
有哪些处理这种情况的最佳实践?是否有任何工具或方法可以在生产构建中访问环境变量,而不必直接推送它们到生产环境中?
const connection = {
host: "127.0.0.1",
// 所有这些都将导致未定义
user: process.env.DB_PROD_USER,
pass: process.env.DB_PROD_PASS,
table: process.env.DB_PROD_TABLE
};
英文:
What are the best practices for accessing environment variables in a production build when it's generally considered bad practice to push .env files to the production repo?
I'm currently working on a project where I need to access environment variables (such as API keys and database credentials), but I'm not sure how to do this without including the .env files in the production repository.
If I push them, then that leaves me open for an attack if someone accesses the repo. But if I don't, then the resulting code that is compiled won't have access to those necessary credentials.
What are some best practices for handling this situation? Are there any tools or methods that can help with accessing environment variables in a production build without pushing them directly to production?
const connection = {
host: "127.0.0.1",
// All of these will result in undefined
user: process.env.DB_PROD_USER,
pass: process.env.DB_PROD_PASS,
table: process.env.DB_PROD_TABLE
};
答案1
得分: 3
你使用实际环境变量,这些变量是在生产环境本身中定义的(而不是在存储库或代码中)。如何做这取决于环境。
如果你自己运行一个实际的服务器(物理或VPS),你需要将这些环境变量添加到将运行代码的进程的环境设置中,或者将其添加到代码将在其下运行的用户帐户中(最好使用允许在休息时加密并且只在运行时解密到内存中的工具)。
如果你使用托管解决方案,它将提供一种方式来提供在环境运行时应该对你的代码可用的环境变量。这里是来自render.com配置页面的一个示例:
这里是Deno Deploy的一个示例:
英文:
You use actual environment variables, defined in the production environment itself (not the repo or the code). How you do that depends on the environment.
If you're running an actual server yourself (physical or VPS), you'd have them in the environment settings for the process that will run the code or the user account that the code will be running under. (Ideally using a tool that allows you to have those encrypted at rest and only decrypted into memory when running.)
If you're using a hosted solution, it will have a way to provide the environment variables that should be available to your code when the environment runs. Here's an example from render.com's configuration page:
Here's one from Deno Deploy:
答案2
得分: 0
我的方法是在本地环境中使用 .env 文件,并使用 npm 包 dotenv 加载它们。
我在 .gitignore 中忽略了 .env 文件,以防它们被添加到仓库中。
在服务器上,这些环境变量已经存在,由服务器管理员管理,但如果有必要,你可以使用 ssh 和 vim,或者 ftp,在服务器上复制 .env 文件,尽管这不是最佳实践。
我还在仓库中有一个 .env 文件的副本,其中的值为空,作为一个模板,还有一个说明文件,说明了从哪里复制这些文件以及其他开发人员应该从哪里获取这些值。
英文:
My approach is to use .env files in my local environment and load them with the npm package dotenv.
I ignore the .env files in the .gitignore so they won't be added to the repo.
On the server, these environmental variables already exist, the server admin manages these, but you could make a copy of the .env files on the server if necessary with ssh and vim, or ftp, though it wouldn't be best practice.
I also have a copy of the .env files with the values empty as a template in the repo with a readme of where to copy the files and where/who to get the values from for other devs.
答案3
得分: -1
是的。我前几天做过这个,我认为这是一个更好的解决方案。
const baseURL = process.env[process.env.NODE_ENV];
这是我的对象,包含不同的URL:
env: {
development: "你的开发环境URL",
production: "你的生产环境URL",
},
英文:
Yes. I did this few days ago and I think it's a better solution.
const baseURL = process.env[process.env.NODE_ENV];
This is my object contain different url:
env: {
development: "your_development_url",
production: "your_production_url",
},
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论