The standard method of storing a secret in GCS encrypted via KMS generally works fine. However, the Service Account documentation for App Engine Flex states (https://cloud.google.com/appengine/docs/flexible/python/service-account):
"Do not modify the permissions of the App Engine flexible environment service account." What's the recommended way to give a Flex container the ability to decrypt a secret if you can't grant permissions to a KMS key? -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/5cf74b8e-4153-4ea7-b556-e616f674eb68%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
