I can tell you what I do (in the standard env): * Dev environment credentials are stored in source code. Every developer needs access to these, might as well make it easy. * Production/staging environment credentials are stored in a standalone git repo and merged by the build script.
I find this to be a good balance of convenience and security. The only special configuration is granting CI access to the secrets repo. It’s pretty easy to set up with circleci, and the deploy process is “git merge”. Jeff On Mon, Mar 13, 2017 at 1:24 PM, 'George (Cloud Platform Support)' via Google App Engine <google-appengine@googlegroups.com> wrote: > Storing your environment data or secrets in Datastore, in a bucket using > GCS may be rather considered as the usual thing to do in this environment. > More about the encryption capabilities of the platform can be read in the > "Encryption at Rest" document > <https://cloud.google.com/security/encryption-at-rest/>. > > App Engine allows you to make use of appropriate services, that provide > you with tools allowing to store safely configuration and secrets. Cloud > KMS is a REST API that can use a key to encrypt or decrypt data, such as > secrets, for storage. You may read details on the "CLOUD KEY MANAGEMENT > SERVICE" documentation page <https://cloud.google.com/kms/>. > > You may be interested in the "App Identity API > <https://cloud.google.com/appengine/docs/standard/java/appidentity/#Java_Asserting_identity_to_other_systems>" > as well. > > Environment variables can be made available to the app by specifying them > at deployment time in the app.yaml file, as describe in the "Configuring > your App with app.yaml" documentation page > <https://cloud.google.com/appengine/docs/flexible/nodejs/configuring-your-app-with-app-yaml>, > both for flex and standard environments. > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to google-appengine+unsubscr...@googlegroups.com. > To post to this group, send email to google-appengine@googlegroups.com. > Visit this group at https://groups.google.com/group/google-appengine. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/google-appengine/876c7ac7-4d93-4c2c-8bf3- > 8c83505e3cf9%40googlegroups.com > <https://groups.google.com/d/msgid/google-appengine/876c7ac7-4d93-4c2c-8bf3-8c83505e3cf9%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscr...@googlegroups.com. To post to this group, send email to google-appengine@googlegroups.com. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/CADK-0ugJexBqWJMx8Ev%2BUqRA5KQu61psiZ7PzU9rPhjau970SQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
