絕不可將安全金鑰儲存於版本控制系統中。 Cloud Source Repositories 可協助您防止使用者將安全金鑰儲存於Google Cloud 存放區。Cloud Source Repositories 可檢查以下類型的安全金鑰:
- Google Cloud 服務帳戶憑證 (JSON 格式)
- PEM 編碼的私密金鑰 (包括 RSA、DSA 和 PGP)
所有存放區皆可免費使用這項檢查功能。
安全金鑰檢查功能的運作方式
使用者執行 git push 指令時,檢查功能會尋找可能是安全金鑰的資料。如果找到相符項目,此功能會封鎖 git 推送作業,並通知使用者找到了什麼資料及位置。例如:
The push has been rejected because we detect that it contains a private key. Please check the following commands and confirm that it's intentional: git show [COMMIT] You can use `git rev-list --objects --all` to find the files. To push these files, please run `git push -o nokeycheck`.
事前準備
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
停用安全金鑰偵測
如要停用安全金鑰偵測,請使用下列 gcloud 指令:
gcloud init
gcloud source project-configs update --disable-pushblock
啟用安全金鑰偵測
如要啟用私密金鑰偵測,請使用下列 gcloud 指令:
gcloud init
gcloud source project-configs update --enable-pushblock
覆寫安全金鑰偵測
如要覆寫安全金鑰偵測功能,請使用以下 git 指令:
git push -o nokeycheck
後續步驟
設定好 Google Cloud 存放區後,您可能會想瞭解以下主題: