Thanks for using Google Groups! As you have mentioned, storing database passwords and other app secrets in the app.yaml file can pose many security risks. In order to maintain a level of security, you may feel free to implement Cloud KMS which offers the ability for secret management. With Cloud KMS, applications which require small pieces of sensitive data at build or runtime are referred to as secrets <https://cloud.google.com/kms/docs/secret-management>[1]. These secrets can be encrypted and decrypted with a symmetric key. In your case you can store the database credentials as secrets. You may explore more information about encrypting / decrypting a secret here <https://cloud.google.com/kms/docs/encrypt-decrypt>.
They are currently three ways to manage secrets: 1. Storing secrets in code, encrypted with a key from Cloud KMS. This solution is implementing secrets at the application layer. 2. Storing secrets in a storage bucket in Cloud Storage, encrypted at rest. You can use Cloud Storage: Bucket to store your database credentials and can also grant that bucket a specific Service Account. This solution allows for separation of systems. In the case that the code repository is breached, your secrets would themselves may still be protected. 3. Using third-party secret management system. You can find more information regarding secret management here <https://cloud.google.com/kms/docs/secret-management#choosing_a_secret_management_solution> . In terms of storing secrets themselves, you may feel free to follow the steps highlighted in this documentation here <https://cloud.google.com/kms/docs/store-secrets>. This guide helps you through storing a secret within a Cloud Storage bucket. The secret is encrypted at the application layer with an encryption key from Cloud KMS. I believe this would be the best option as your secret would be stored within a bucket instead of your app.yaml file. Also, the secret being stored in a bucket would grant you the ability to restrict access to it with service account roles. Doing it this way will force your app to perform an API call to Google Cloud Storage in order to download the KMS encrypted file that contains the secret. It would then use the KMS generated key to decrypt the file so that it would be able to read out the password and use it to make a manual connection to the Cloud SQL instance. Adding these extra steps would be implementing more security layers, which is the entire idea noted in “'Note: Saving credentials in environment variables is convenient, but not secure - consider a more secure solution such as Cloud KMS to help keep secrets safe <https://github.com/GoogleCloudPlatform/python-docs-samples/tree/master/cloud-sql/mysql/sqlalchemy>" in the Google example repository. I hope this helps! On Monday, May 6, 2019 at 9:09:23 AM UTC-4, Tareq Hasan wrote: > > Beginner question here: > > I’m trying to deploy a Laravel application on GAE. As mentioned in the > docs, the environment variables are supposed to be added on `app.yaml` > file. But as the source code is in github and few people are collaborating > on the project, it’s not defintely a good practice to put the database > password and other app secrets in the `app.yaml` file. How should I provide > those informations to the app as `.env` file isn’t supported. Also, I would > use push to deploy feature to deploy the code in GAE from github. So how > should I go about this? > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/e081ee29-43a2-4ce4-a5e4-85b546372e23%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
