Secrets on App Engine Flex

66 views

Skip to first unread message

Eric Hauser

unread,

Aug 21, 2018, 1:57:05 PM8/21/18

to Google App Engine

The standard method of storing a secret in GCS encrypted via KMS generally works fine. However, the Service Account documentation for App Engine Flex states (https://cloud.google.com/appengine/docs/flexible/python/service-account):

"Do not modify the permissions of the App Engine flexible environment service account."

What's the recommended way to give a Flex container the ability to decrypt a secret if you can't grant permissions to a KMS key?

Jorge A (Google Cloud Support)

unread,

Sep 6, 2018, 5:51:53 PM9/6/18

to Google App Engine

That's right, the App Engine Flexible environment service account's permissions can't be modified [1]. There's currently a feature request [2] with a similar question, and it has multiple suggestions made by other customers facing the same issue. We recommend following the feature request once in a while for updates as this exact method isn't supported yet.

[1]https://cloud.google.com/appengine/docs/flexible/python/service-account

[2]https://issuetracker.google.com/35894490

Reply all

Reply to author

Forward

0 new messages