App Engine Flexible: Where to store env-dependent configuration and secrets?

[Bernhard Mäder]

Title says it, where do you guys store your secrets and other app configuration? The stuff that will change depending on the environment (prod, stage, dev etc.)...

With kubernetes, there are the Secret and ConfigMap objects, which are perfect for exactly that. Is there something comparable in AppEngine?

If not, I think I could use IAM key management, store them in a bucket, or even use deployment manager. But this all looks way too far fetched, for something that feels like it should be close to AE's core. What am I missing?

Thanks,

Bernhard

[Les Vogel]

Hi Bernhard,

AppEngine Flex can use the Metadata service - take a look at https://medium.com/google-cloud/google-compute-engine-metadata-service-de9d71ea44e0#.2vmglwf54 for some suggestions.

Cloud KMS is also a good place for Secrets.

Regards,

Les

--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscribe@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/f8f10c84-7fa4-4d8a-be92-32539ce48fcd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

•  Les Vogel   •  Cloud Developer Relations   •  le...@google.com   •  +1-408-676-7023

[George (Cloud Platform Support)]

Storing your environment data or secrets in Datastore, in a bucket using GCS may be rather considered as the usual thing to do in this environment. More about the encryption capabilities of the platform can be read in the "Encryption at Rest" document. 

App Engine allows you to make use of appropriate services, that provide you with tools allowing to store safely configuration and secrets. Cloud KMS is a REST API that can use a key to encrypt or decrypt data, such as secrets, for storage. You may read details on the "CLOUD KEY MANAGEMENT SERVICE" documentation page. 

You may be interested in the  "App Identity API" as well. 

Environment variables can be made available to the app by specifying them at deployment time in the app.yaml file, as describe in the "Configuring your App with app.yaml" documentation page, both for flex and standard environments. 

[Jeff Schnitzer]

I can tell you what I do (in the standard env):

 * Dev environment credentials are stored in source code. Every developer needs access to these, might as well make it easy.

 * Production/staging environment credentials are stored in a standalone git repo and merged by the build script.

I find this to be a good balance of convenience and security. The only special configuration is granting CI access to the secrets repo. It’s pretty easy to set up with circleci, and the deploy process is “git merge”.

Jeff

--

You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscribe@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/876c7ac7-4d93-4c2c-8bf3-8c83505e3cf9%40googlegroups.com.