Reputation: 545
Best way to store and share cryptographic keys on GCP accross functions
Some functions I am writing would need to store and share a set of cryptographic keys (<1kb) somewhere so that:
- it is shared across functions and within instances of the same function
- it is maintained after function deploys
The keys are modified (and written) every 4 hours or so, based on whether a key has expired or a new key needs to be created.
Right now, I am storing the keys as encrypted binary in a cloud bucket with access limited to that function. It works, except that it is fairly slow (~500ms for the read / write that is required when updating the keys).
I have considered some other solutions:
- Redis: fast, but overkill given the price ($40/month) it would cost to store a single value
- Cloud SQL: the functions are already connected to a cloud instance so it would not incur more costs
- Dropping everything and using a KMS. Unfortunately it would not meet the requirements I have.
The library I use in my functions is available here.
Is there a better way to store a single small blob of data for cloud functions (and possibly other tools like GKE) ?
Edit
The solution I ended up using was using a single table in a database that the app was already connected to. It is also about 5 times faster than using a bucket (<100ms).
The moral of the story is to use whatever is already provisioned to store the keys. If storing a key is a problem, then using the combo KMS + cloud functions for rotations described below seems like a good option.
All the code + more details are available here.
Upvotes: 1
Views: 178
Answers (1)
Reputation: 4961
A better approach would be to manage your keys with Cloud KMS. However, as you mentioned before Cloud KMS does not automatically delete the old key version material and you will need to manually delete old versions which I suspect is a thing that you don’t want to do.
Another possibility is to just keep the keys in Firestore. Since for this you don’t have to provision any specific infrastructure such as with Redis Memorystore and Postgres Cloud SQL it will be easier to manage and to scale in the long run.
The general idea would be to have a Cloud Function triggered by Cloud Scheduler every 4 hours, and this function will rotate the keys on your Cloud Firestore.
How does this sound to you?
Upvotes: 1
Related Questions
- GCP 2nd generation Cloud Functions: How can I use Secrets?
- How do i handle secrets in Google Cloud Functions?
- Best way to store json keyfile for GCP functions serverless deployment with Github actions
- Google Cloud Functions - How to securely store service account private key when using Google Source Repository?
- GCP correct way to access and store password / credentials through Compute Engine's Service Account
- How should I store secrets for use in Google Cloud Platform?
- Where to store key-value pairs for runtime retrieval from within Cloud Function?
- How to handle keys and credentials when deploying to Google Cloud Functions?
- Google Cloud Functions authentication to other GCP APIs
- Communicate internally between Google Cloud Functions?