NodeJS Secure Environment Variables with Google Key Management Service

Introduction

When developing applications, using environment variables is essential. They help configure values for different environments like development, staging, and production. Some environment variables, such as API keys, database connections, or passwords, are sensitive and need to be kept secure. If you're using Google Cloud, their Key Management Service (KMS) can help you manage keys, and allows you to encrypt and decrypt values using those keys.

Prerequisites

Before we proceed, make sure you have:

Key Management Service

KMS works with key rings, which hold multiple keys. You use these keys to encrypt and decrypt string values or file data.

Be cautious: if a key is deleted, any data encrypted with it can't be decrypted anymore.


To create a key ring, execute the following command:

gcloud kms keyrings create "key-ring-name" \
--location "global"


Then create a key based on the keyring.

gcloud kms keys create "key-name" \
--location "global" \
--keyring "key-ring-name" \
--purpose "encryption"


You can check the keyring and key that were created by using a command or by visiting the Google Cloud Console.

gcloud kms keys list \
--location "global" \
--keyring "key-ring-name"

gcloud kms keys versions list \
--location "global" \
--keyring "key-ring-name" \
--key "key-name"


Deploying with NodeJS

Once you've successfully set up your NodeJS Typescript project, install the following package:

yarn add @google-cloud/kms


Use the following code block to interact with Google KMS.

import {KeyManagementServiceClient} from '@google-cloud/kms'

const projectId = 'project-id'
const location = 'global'
const keyRing = 'key-ring-name' // replace your keyring name
const cryptoKey = 'key-name' // replace your key name

const kmsClient = new KeyManagementServiceClient()
const parent = kmsClient.locationPath(projectId, location)
const kmsPath = kmsClient.cryptoKeyPath(projectId, location, keyRing, cryptoKey)
const [keyRings] = await kmsClient.listKeyRings({parent})

const decrypt = async (encryptValue: string): Promise<string> => {
try {
const request = {
name: kmsPath,
ciphertext: encryptValue,
}
const [decryptedText] = await kmsClient.decrypt(request)
return decryptedText.plaintext.toString().trim()
} catch (e) {
console.error(e)
return null
}
}

if (keyRings.length) {
const keyRingNames = keyRings.map(keyRing => keyRing.name)
console.log('Key rings:', keyRingNames)
}

const [username, password] = await Promise.all([decrypt(process.env.GCP_USERNAME), decrypt(process.env.GCP_PASSWORD)])
console.log('Decrypted value:', username, password)


I use `process.env.GCP_USERNAME` and `process.env.GCP_PASSWORD` defined in the `.env` file like this

GCP_USERNAME=CiQAgHBm4/HepIf4wK9keDAYTenhPTA5lgJOOXEziBNdjiZ14SwSOABot+e3PRhP8Tepqb8QvvmD9yPcOuBNt5Goh0404pHqpcs1/sCagzYhhnEvn71gYY3GDps0CzK2
GCP_PASSWORD=CiQAgHBm74TCT5a66lD0Q0L1k/k0IP4y2zPCmia0VBB76blzxmUSOABot+e2hvUl91xbUvuSvUVYKtrqDlw8+qTM3d+1Mw6j+WpsXH+fZ0YkZdZi2DsLRpDXT4fTPc8g

The values for GCP_USERNAME and GCP_PASSWORD are encrypted in base64 based on the key created above. Therefore, you cannot use the usual method to decrypt these values.


To encrypt a value to base64, use the following command:

echo "password_value" | gcloud kms encrypt \
--location "global" \
--keyring "key-ring-name" \
--key "key-name" \
--plaintext-file - \
--ciphertext-file - | base64


After obtaining the value, replace it in your .env file accordingly.


The result of executing the code will be as follows:


See more articles here.

Comments

Post a Comment

Popular posts from this blog

Kubernetes Practice Series

Image
Introduction Kubernetes (often abbreviated as K8s ) is an open-source system designed to automate the deployment, scaling, and management of containerized applications. This page serves as a collection of articles related to Kubernetes (K8s) , including theoretical concepts and practical guides on using Kubernetes to set up essential tools for the software development process. I will continue to update this series with new articles as ideas come to mind, to ensure the series becomes more comprehensive. The articles are arranged in increasing order of difficulty to make it easier for you to follow. If you have time, it's recommended that you start from the beginning of the series to acquire the necessary knowledge and information that will prepare you for the subsequent articles. Key Topics Covered in This Series Basic Knowledge : Fundamental concepts, common commands, etc. Resources : Pod, Deployment, Service, StatefulSet, Ingress, etc. Pod Autoscaler : Horizontal and Vertical sc...
Read more

NodeJS Practice Series

Image
Introduction NodeJS is an open-source and cross-platform JavaScript runtime environment . Here are some key points about NodeJS : V8 Engine : NodeJS runs on the V8 JavaScript engine , which is also the core of Google Chrome . This allows NodeJS to be highly performant. Asynchronous and Non-Blocking : NodeJS  uses an event-driven, non-blocking I/O model. It’s lightweight and efficient, making it ideal for data-intensive real-time applications. Single-Threaded : NodeJS  runs in a single process, handling multiple requests without creating new threads. It eliminates waiting and continues with the next request. Common Language : Frontend developers who write JavaScript for browsers can use the same language for server-side code in NodeJS . You can even use the latest ECMAScript standards without waiting for browser updates. This page is designed to compile articles related to NodeJS , including how to integrate it with various libraries and relevant tech stacks. I will cont...
Read more

Deploying a NodeJS Server on Google Kubernetes Engine

Image
Introduction to GKE Google Kubernetes Engine (GKE) is a managed Kubernetes service provided by Google Cloud Platform , facilitating simple and efficient deployment of Docker images. We only need to provide some configuration for the number of nodes, machine types, and replicas to use. Some Concepts Cluster A Cluster is a collection of Nodes where Kubernetes can deploy applications. A cluster includes at least one Master Node and multiple Worker Nodes . The Master Node is used to manage the Worker Nodes . Node A Node is a server in the Kubernetes Cluster. Nodes can be physical servers or virtual machines. Each Node runs  Kubernetes , which is responsible for communication between the Master Node and Worker Node , as well as managing Pods and containers running on it. Pod A Pod is the smallest deployable unit in Kubernetes . Each Pod contains one or more containers, typically Docker containers. Containers in the same Pod share a network namespace, meaning they have the ...
Read more

Setting up Kubernetes Dashboard with Kind

Image
Introduction In a previous article, I guided you through using Helm to deploy on Google Kubernetes Engine . However, if you want to cut down costs by using Kubernetes in your local environment instead of relying on a cloud provider during development, then Kind is your go-to. There are several tools to help set up Kubernetes locally, such as MiniKube , Kind , K3S , KubeAdm , and more. Each tool has its own pros and cons. In this article, I'll walk you through using Kind to quickly set up a Kubernetes cluster on Docker . Kind stands out for its compactness, making Kubernetes start up quickly, being user-friendly, and supporting the latest Kubernetes versions. Working with Kind Firstly, follow the instructions here to install Kind according to your operating system. If you're using Ubuntu , execute the command: [ $( uname -m ) = x86_64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.23.0/kind-linux-amd64 chmod +x ./kind sudo mv ./kind /usr/local/bin/ki...
Read more

Docker Practice Series

Image
Introduction Docker is an open platform for developing, shipping, and running applications. This page is dedicated to compiling articles related to Docker , covering both the theoretical aspects and practical applications of Docker in setting up popular tools essential for software development. I will be updating this series with more articles in the future as new ideas for topics arise. The articles are arranged in increasing order of difficulty, making it easier for you to follow along. If you have the time, I recommend starting from the beginning of the series to ensure that you grasp the necessary knowledge and information needed for the more advanced articles later on. Here are some key topics in the series that you need to explore to effectively use Docker : Basic knowledge Docker commands Docker Compose Building Docker images Performance improvement Integration with CI/CD Once you have a solid understanding of the foundational knowledge, the extended topics (including advanced...
Read more

React Practice Series

Image
Introduction React is a JavaScript library created by Facebook , often referred to as the most popular frontend framework today. This page aims to gather articles related to ReactJS , covering topics such as theory, features, and commonly used packages in the process of building ReactJS applications. I will update this series with more articles in the future as new ideas for content come up. The articles are arranged in increasing order of difficulty, so if you have time, it's recommended to start from the beginning of the series. This will ensure you grasp the essential knowledge and information needed for the subsequent articles. Here are some key topics in the series that you need to explore to effectively use ReactJS : Fundamental : React Hook, React Context, Lazy load, etc. State management : redux, mobx, recoil, etc. Middleware libraries : redux-thunk, redux-saga, redux-observable, etc. Popular packages : react-query, immer, styled-components, etc. Rendering techniques : C...
Read more

Using Kafka with Docker and NodeJS

Image
Introduction to Kafka Kafka is an open-source , distributed messaging system that functions on a publish/subscribe model. It is widely used by numerous large companies for high-performance , real-time data streaming. Developed by LinkedIn since 2011, Kafka has grown into the most popular distributed streaming platform. It can handle vast amounts of records with high efficiency. Advantages of Kafka Open-source : Freely available and continuously improved by a large community. High-throughput, high-frequency : Capable of processing large volumes of data across topics continuously. Automatic message storage : Allows for easy message retrieval and verification. Large user community : Offers extensive support and shared resources. Basic Concepts If you're new to Kafka and Message Queues, here are some key concepts to understand: Producer : Creates and sends data to the Kafka server, where data is sent as messages in byte array format. Consumer : One or more consumers subscribe to...
Read more

Sitemap

Image
A page aggregator designed for easy reference and search, compiling all blog posts for convenient access.
Read more

Monitoring with cAdvisor, Prometheus and Grafana on Docker

Image
Introduction Monitoring a system is crucial after deploying a product to a production environment. Keeping an eye on system metrics like logs , CPU , RAM , disks , etc, helps identify the system's status, performance issues, and provides timely solutions to ensure stable operations. While cloud providers like Google , Amazon , or Azure offer built-in monitoring systems, if your company needs to manage multiple applications/systems/containers and desires a centralized monitoring system for easier management, using cAdvisor , Prometheus , and Grafana is a sensible choice. These three popular open-source tools are widely used by DevOps teams, especially for monitoring container applications. cAdvisor Developed by Google , cAdvisor is an open-source project used to analyze resource usage, performance, and other metrics from container applications, providing an overview of all running containers. Find more details here Prometheus Prometheus is a toolkit for system monitoring and a...
Read more

Using Terraform to Create VM Instances and Connect via SSH

Image
Introduction In the previous article, I introduced some basic concepts about Terraform , as well as the advantages of using Terraform . If you're not familiar with it yet, take a look to get some basic knowledge before diving into the next topics . In this article, I will guide you through writing Terraform files to deploy a Virtual Machine (VM) instance to the Google Cloud Provider . Creating a Service Account If you already have a Google Cloud account with the necessary permissions, you can log in to work with Terraform as I instructed in the previous article. However, if for some reason you can't log in, or if you need a better authentication method, you can create a Service Account to use. In simple terms, a Google Cloud account is allowed to create Service Accounts . Each Service Account is assigned roles , and each role has corresponding permissions allowing the Service Account to perform specific tasks based on permissions . To create a Service Account , use th...
Read more