Helps managing GCF
Last updated a year ago by peopledata-product-team .
ISC · Original npm · Tarball · package.json
$ cnpm install angra 
SYNC missed versions from official npm registry.


A simple module to help deploying our apps to Google Cloud Functions.

What is the problem?

No long after we started to consider using GCF for some of our apps we started to face its ecosystem limitations:

Deploy to multiple environment

We want to promote our function just like we do with our regular apps. So we need a way to deploy at least to dev, preprod and prod.

Environment Variables

Our configuration is mainly done via environment variables. Those are not yet supported on GCF.

Accessing services on Google Cloud Platform

GCF can, by default, access services like datasore, pubsub, etc. For any other service you need to provide a key from a service account properly configured.


Even if we environment variables were available, we do not want to expose our secrets in plain text. So we needed a way to do it securely.

Proposed solution

We took inspiration from Jean Baudin's work as explained in this article. Even though it isn't an exact match for our case, we follow the same principle.

The idea is using Google's Key Management Service, KMS, to encrypt/decrypt values that are store in an environment file. This file is packaged among with the source code when it's being deployed.

For that, we also need to provide a credential to access KMS, as it's not yet on the services available for GCF by default.

How to use


The package can be installed via npm install --save-dev angra.

Basic usage

We expect a file angra.yml to be present on the repository. The file should look like this:

name: 'hello-world'
trigger: 'http'
entryPoint: 'hello'

The field name is the base name of the function. Because we want to have it deployed to multiple environments, the actual name of the function deployed will be name-env. So in this case, hello-world-dev. Trigger is the trigger type. For now it can only be http. Finally, entryPoint is the name of the exposed function that needs to be called.

We also expect you to have a folder config in which the environment files are present.

├── angra.yml
├── config
│   └── local.js
│   └── dev.js
│   └── preprod.js
├── index.js
├── package-lock.json
└── package.json

With all set. You can run ./node_modules/.bin/angra deploy local.

What this will give you is a file named env.js that can be loaded and used in your function:

const env = require('./env.js');

exports.hello = (req, res) => {
  res.send(`Hello, ${}!`);

Trigger from pubsub topic

You can also trigger the function via pubsub, in which case topic also needs to be provided:

name: 'hello-world-pubsub'
trigger: 'pubsub'
topic: 'hello-world'
entryPoint: 'hello'

Specifying nodejs version

The nodejs version can also be set by specifying the runtime field:

name: 'hello-world-pubsub'
trigger: 'pubsub'
topic: 'hello-world'
entryPoint: 'hello'
runtime: 'nodejs8'


env.js needs to be added to .gitignore.

Adding credentials

If you need to also add credentials on the deployment, you'll first need to update angra.yml and add the useCredentials field:

name: 'hello-world'
trigger: 'http'
entryPoint: 'hello'
useCredentials: true

Similar to the config folder, we expect a JSON file for each environment on the credentials folder:

├── angra.yml
├── config
│   └── local.js
│   └── dev.js
│   └── preprod.js
├── credentials
│   └── local.json
│   └── dev.json
│   └── preprod.json
├── index.js
├── package-lock.json
└── package.json

The deployment command remains the same: ./node_modules/.bin/angra deploy local.


env.js needs to be added to .gitignore. Also you should have it protected using git-crypt.

Secure environment variables

You'll first need to create a KMS key ring and location. Please follow its documentation to do so.

Once it's created, make sure you create a service account that have access to encrypt/decrypt using that key ring. Also download and place the credential json on the respective credentials folder.

We'll use the gcloud-kms-helper module to help us encrypt/decrypt the secret. Make sure you have run npm install --save gcloud-kms-helper.


First you need to encrypt the value: ./node_modules/.bin/kms-helper encrypt --project_id <project_name> --project_location <key_ring_location> --key_ring_name hello-world-dev --crypto_key_name dev supersecret outputFile.

You can then use outputFile content and keep it on one of the environment files.


Similarly, you can decrypt with the following command: ./node_modules/.bin/kms-helper decrypt --project_id <project_name> --project_location <key_ring_location> --key_ring_name hello-world-dev --crypto_key_name dev inputFile.


As part of angra version 0.0.7, runtime of the function to be deployed can be specified in the angra.yml file. The default runtime if not specified is nodejs8 from version 0.1.0

Using in your code

You can find an example of how to use gcloud-kms-helper programatically on our recruitment-events-receiver.

Current Tags

  • 0.1.2                                ...           latest (a year ago)

11 Versions

  • 0.1.2                                ...           a year ago
  • 0.1.1                                ...           a year ago
  • 0.1.0                                ...           a year ago
  • 0.0.9                                ...           a year ago
  • 0.0.8                                ...           a year ago
  • 0.0.7                                ...           a year ago
  • 0.0.6                                ...           2 years ago
  • 0.0.5                                ...           2 years ago
  • 0.0.4                                ...           2 years ago
  • 0.0.3                                ...           2 years ago
  • 0.0.1                                ...           2 years ago
Today 0
This Week 0
This Month 0
Last Day 0
Last Week 1
Last Month 1
Dependencies (3)
Dev Dependencies (2)
Dependents (0)

Copyright 2014 - 2017 © |