The standard method of storing a secret in GCS encrypted via KMS generally works fine. However, the Service Account documentation for App Engine Flex states (https://cloud.google.com/appengine/docs/flexible/python/service-account):
"Do not modify the permissions of the App Engine flexible environment service account." What's the recommended way to give a Flex container the ability to decrypt a secret if you can't grant permissions to a KMS key? -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscr...@googlegroups.com. To post to this group, send email to google-appengine@googlegroups.com. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/5cf74b8e-4153-4ea7-b556-e616f674eb68%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.