Secrets on App Engine Flex

66 views
Skip to first unread message

Eric Hauser

unread,
Aug 21, 2018, 1:57:05 PM8/21/18
to Google App Engine
The standard method of storing a secret in GCS encrypted via KMS generally works fine. However, the Service Account documentation for App Engine Flex states (https://cloud.google.com/appengine/docs/flexible/python/service-account):

"Do not modify the permissions of the App Engine flexible environment service account."

What's the recommended way to give a Flex container the ability to decrypt a secret if you can't grant permissions to a KMS key? 

Jorge A (Google Cloud Support)

unread,
Sep 6, 2018, 5:51:53 PM9/6/18
to Google App Engine
That's right, the App Engine Flexible environment service account's permissions can't be modified [1]. There's currently a feature request [2] with a similar question, and it has multiple suggestions made by other customers facing the same issue. We recommend following the feature request once in a while for updates as this exact method isn't supported yet.

Reply all
Reply to author
Forward
0 new messages