为什么秘密管理工具 SecretHub 在本地有效,但在 heroku 生产环境中却无效?
why does secret management tool SecretHub work locally but not in heroku production?
我决定为 Heroku 托管的 node.js 服务器实施秘密管理服务 (secrethub.io)。
它的安装过程是这样的:
npm install --save-dev @secrethub/cli
secrethub init
(然后在您注册后提供凭据)
然后将主启动脚本调整为:
secrethub run -- nodemon server.js
现在,当我 运行 在本地使用 npm run start 应用程序时,一切正常,服务器 运行 正常,注入了秘密,一切都很好。但是当我部署到 Heroku 时,应用程序在启动脚本时立即崩溃:
server@1.0.0 start /app 2020-09-28T22:42:08.353088+00:00
app[web.1]: > secrethub run -- nodemon server.js
2020-09-28T22:42:08.353088+00:00 app[web.1]:
2020-09-28T22:42:08.469775+00:00 app[web.1]: Encountered an error:
error while processing template file 'secrethub.env': could not find
credential file. Go to https://signup.secrethub.io/ to create an
account or run secrethub init to use an already existing account on
this machine. (secrethub.credential_not_exist)
(run.template_parsing_failed) 2020-09-28T22:42:08.484159+00:00
app[web.1]: npm ERR! code ELIFECYCLE 2020-09-28T22:42:08.484663+00:00
app[web.1]: npm ERR! errno 1 2020-09-28T22:42:08.493367+00:00
app[web.1]: npm ERR! aflare-stripe@1.0.0 start: secrethub run -- nodemon server.js 2020-09-28T22:42:08.493885+00:00 app[web.1]: npm
ERR! Exit status 1 2020-09-28T22:42:08.494399+00:00 app[web.1]: npm
ERR! 2020-09-28T22:42:08.494840+00:00 app[web.1]: npm ERR! Failed at
the aflare-stripe@1.0.0 start script. 2020-09-28T22:42:08.495292+00:00
app[web.1]: npm ERR! This is probably not a problem with npm. There is
likely additional logging output above.
2020-09-28T22:42:08.515466+00:00 app[web.1]:
2020-09-28T22:42:08.516772+00:00 app[web.1]: npm ERR! A complete log
of this run can be found in: 2020-09-28T22:42:08.517179+00:00
app[web.1]: npm ERR!
/app/.npm/_logs/2020-09-28T22_42_08_498Z-debug.log
就像我说的,我已经注册了一切。有人知道部署到 Heroku 和使用秘密管理服务的任何问题吗?
从日志的以下部分来看,SecretHub CLI 似乎无法访问凭据:
could not find credential file. Go to https://signup.secrethub.io/ to create an account or run secrethub init to use an already existing account on this machine. (secrethub.credential_not_exist)
您可以通过为您的 Heroku 应用程序创建服务帐户来解决此问题。您可以按照 this guide to see how. You can configure the resulting credential as the SECRETHUB_CREDENTIAL environment variable in Heroku (see here 如何操作)。
我决定为 Heroku 托管的 node.js 服务器实施秘密管理服务 (secrethub.io)。
它的安装过程是这样的:
npm install --save-dev @secrethub/cli
secrethub init
(然后在您注册后提供凭据)
然后将主启动脚本调整为:
secrethub run -- nodemon server.js
现在,当我 运行 在本地使用 npm run start 应用程序时,一切正常,服务器 运行 正常,注入了秘密,一切都很好。但是当我部署到 Heroku 时,应用程序在启动脚本时立即崩溃:
server@1.0.0 start /app 2020-09-28T22:42:08.353088+00:00 app[web.1]: > secrethub run -- nodemon server.js 2020-09-28T22:42:08.353088+00:00 app[web.1]: 2020-09-28T22:42:08.469775+00:00 app[web.1]: Encountered an error: error while processing template file 'secrethub.env': could not find credential file. Go to https://signup.secrethub.io/ to create an account or run
secrethub initto use an already existing account on this machine. (secrethub.credential_not_exist) (run.template_parsing_failed) 2020-09-28T22:42:08.484159+00:00 app[web.1]: npm ERR! code ELIFECYCLE 2020-09-28T22:42:08.484663+00:00 app[web.1]: npm ERR! errno 1 2020-09-28T22:42:08.493367+00:00 app[web.1]: npm ERR! aflare-stripe@1.0.0 start:secrethub run -- nodemon server.js2020-09-28T22:42:08.493885+00:00 app[web.1]: npm ERR! Exit status 1 2020-09-28T22:42:08.494399+00:00 app[web.1]: npm ERR! 2020-09-28T22:42:08.494840+00:00 app[web.1]: npm ERR! Failed at the aflare-stripe@1.0.0 start script. 2020-09-28T22:42:08.495292+00:00 app[web.1]: npm ERR! This is probably not a problem with npm. There is likely additional logging output above. 2020-09-28T22:42:08.515466+00:00 app[web.1]: 2020-09-28T22:42:08.516772+00:00 app[web.1]: npm ERR! A complete log of this run can be found in: 2020-09-28T22:42:08.517179+00:00 app[web.1]: npm ERR!
/app/.npm/_logs/2020-09-28T22_42_08_498Z-debug.log
就像我说的,我已经注册了一切。有人知道部署到 Heroku 和使用秘密管理服务的任何问题吗?
从日志的以下部分来看,SecretHub CLI 似乎无法访问凭据:
could not find credential file. Go to https://signup.secrethub.io/ to create an account or run secrethub init to use an already existing account on this machine. (secrethub.credential_not_exist)
您可以通过为您的 Heroku 应用程序创建服务帐户来解决此问题。您可以按照 this guide to see how. You can configure the resulting credential as the SECRETHUB_CREDENTIAL environment variable in Heroku (see here 如何操作)。