recommended between native integration (as mounted volume or environment variable) and Secret Manager client library for Google cloud function?

huangapple go评论53阅读模式
英文:

recommended between native integration (as mounted volume or environment variable) and Secret Manager client library for Google cloud function?

问题

我是云函数中实现秘密方面的新手。我想了解在访问谷歌云函数中的秘密方面,推荐的方法是哪一种,以确保安全、易访问和性能等方面的因素。

我了解到秘密管理器有三种可用的方法。

  1. 使用挂载卷的秘密
  2. 使用环境变量的秘密
  3. 使用秘密管理器客户端库
英文:

I am new to cloud functions in implementing the secrets. I would like to know which one would be the recommended method in accessing the secrets in google cloud function in terms of secure, easy access, performance etc...

I am aware of 3 methods available with secret manager.

  1. Secrets with mounted volume
  2. Secrets with environment variables
  3. Secret manager client library

答案1

得分: 1

正如 @John Henley 在这个 Stackoverflow 链接 中建议的,

> 将密钥作为卷挂载与将其作为环境变量挂载的主要区别在于访问方法以及何时从“ Secret Manager”中读取密钥。
>
> 将密钥作为卷挂载会在每次读取卷/文件时读取密钥。如果您引用的是最新标签,对密钥的更新将在下次读取卷/文件时更新 Functions 中的密钥。
>
> 将密钥作为环境变量暴露会在实例冷启动时读取密钥。这意味着如果您更新了密钥,则即使指定了最新值,函数实例也将继续使用最后一个值。只有在实例冷启动时才会从“ Secret Manager”中读取新密钥。如果有多个函数实例在运行,则某些实例可能使用先前的值,而某些实例可能使用当前值。这取决于每个函数实例启动的时间。
>
> 将密钥作为卷挂载可能会更昂贵,因为可能会更频繁地读取密钥。

要了解在访问 Google 云函数中的秘密时哪种方法被推荐,请查看这个 文档 ,其中有明确定义。

请查看 文档 中的这一节,以获取关于可用的三种方法的概述。

英文:

As @John Henley suggested in this Stackoverflow Link,

>The primary difference between mounting a secret as a volume versus as an environment variable is the access method and when the secret is read from Secret Manager.
>
>Mounting a secret as a volume reads the secret each time the volume/file is read. If you are referencing the latest tag, updates to secrets will update the secret in Functions the next time you read the volume/file.
>
>Exposing a secret as an environment variable reads the secret at instance cold start. That means if you update the secret, the Function instance will continue to use the last value even if you specify latest. Only on instance cold start is the new secret read from Secret Manager. If you have multiple function instances running, some might use the previous value and some might use the current value. That depends on when each Function instance was started.
>
>Mounting a secret as a volume can be more expensive because the secret might be read more often.

And to know which one would be the recommended method in accessing the secrets in google cloud function, Please have a look at this Documentation which is clearly explained.

Please have a look at this section in the Documentation to get an overview of choosing the three methods available.

huangapple
  • 本文由 发表于 2023年7月3日 17:23:40
  • 转载请务必保留本文链接:https://go.coder-hub.com/76603444.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定