How to handle secrets in Google App Engine?

Question

My application needs a bunch of secrets to run: database credentials, API credentials, etc. It\'s running in Google App Engine Standard Java 11. I need these secrets

Answer 1

The options are more or less what you have mentioned. Google Cloud Key Management is a great way of dealing with credentials and secret information in general. It has an REST API with methods which has to be used in order to achieve your goals with it. For example, you have the "get" method for getting cryptokeys, keyRings, cryptoKeysVersions etc..

For example here there is a guide on how to set up authentication for your app. Here there is also a nice code example for this on github.

If you think extra security is required you can also use the secret rotation technique.

Hard coding the values in the app.yaml is an option, too, although it is not recommended as the best practice. The app.yaml will not live only on your machine. It will be deployed, also and you can even see it from the App engine, "Versions" -> "Config" panel in the GCP Console. So, you do not need to worry about it.