7

I'm deploying a Node.js app on GAE that connects to a Cloud SQL.

Following the docs, I'm told to store the user/password for the database inside app.yaml:

env_variables:
  MYSQL_USER: YOUR_USER
  MYSQL_PASSWORD: YOUR_PASSWORD
  MYSQL_DATABASE: YOUR_DATABASE
  # e.g. my-awesome-project:us-central1:my-cloud-sql-instance
  INSTANCE_CONNECTION_NAME: YOUR_INSTANCE_CONNECTION_NAME

Is this really a good place to store the password?

Alon
  • 699
  • 2
  • 9
  • 17
  • Same issue too. Here is my question: https://stackoverflow.com/questions/54139716/how-to-pass-system-environment-variables-to-app-yaml. I think if put some secrets in `app.yaml`, then this file should not be uploaded to SCM. – Lin Du Jan 24 '19 at 02:54

4 Answers4

1

Storing secrets in app.yaml risks them leaking (e.g., it's not uncommon to find them checked in accidentally on github). Storing secrets in a .gitignored file that you weave into app.yaml at deploy time is one approach. Another approach is to store the secrets in an Entity in the datastore.

For many of my apps, I store secrets in an Entity called Config, which stores stringified JSON. This simplifies the admin UI for editing them down to a single textarea, deferring the need for a more complicated UI.

For an example of this approach with a more full-featured UI, check out the Khan Academy 'snippets' app. https://github.com/Khan/snippets

Dave W. Smith
  • 24,318
  • 4
  • 40
  • 46
  • Thanks for your answer, but I'm looking for a more native GAE implementation. For example in AWS Elastic Beanstalk you have access to the database username and password as environment variables out of the box, and you can also set environment variables from the web console (so they don't appear in any config files). – Alon Apr 15 '17 at 10:11
1

Google does not have service for this thing (yet). I asked support about this before and their suggestion is to store the data in a datastore (encrypted)

marcadian
  • 2,608
  • 13
  • 20
1

What you should do:

  1. put app.yaml in .gitignore, and then,
  2. set your secrets in app.yaml, and then,
  3. perform gcloud app deploy

You don't need to have app.yaml in your version control to still "set" your environmental variables in GAE.

HJW
  • 342
  • 3
  • 13
-2

Yes. We do the same. There is not much difference in storing credentials in environment variables or file. Storing them in file, I found more convenient (through it totally subjective). In terms of security concerns, you always can play with file permissions. You can create a user which will run app, and grant read access to this user.

Sergey Yarotskiy
  • 4,536
  • 2
  • 19
  • 27