GAE: best practices for storing secret keys?

Question

Are there any non-terrible ways of storing secret keys for Google App Engine? Or, at least, less terrible than checking them into source control?

Answer 1

Google app engine by default create credential for app engine and inject it in side the environment.

Google Cloud client libraries use a strategy called Application Default Credentials (ADC) to find your application's credentials. When your code uses a client library, the strategy checks for your credentials in the following order:

1. First, ADC checks to see if the environment variable GOOGLE_APPLICATION_CREDENTIALS is set. If the variable is set, ADC uses the service account file that the variable points to.

2. If the environment variable isn't set, ADC uses the default service account that Compute Engine, Google Kubernetes Engine, Cloud Run, App Engine, and Cloud Functions provide, for applications that run on those services.

3. If ADC can't use either of the above credentials, an error occurs.

So point 2 means if you grant the permissions to your service account using IAM Admin you do not have to worry about the passing json keys it will aromatically works.

eg. Suppose your application running in App Engine Standard and it wants the access to the Google Cloud Storage. To do this you do not have to create new service account just grant the access to the ADC.

REF https://cloud.google.com/docs/authentication/production#finding_credentials_automatically