1

If i deploy a config with secrets to Google App Engine, who can exactly read this config?

For instance, i have a config.json, which holds API secrets, which i don't want to let anyone see. Who could potentially see this file?

The reason for this question is, if it's worth using some key encryption services for the config file.

David
  • 2,926
  • 1
  • 27
  • 61
  • 1
    Google launched a secrets management tool recently: https://cloud.google.com/solutions/secrets-management You may want to switch to that. – new name Apr 14 '20 at 12:56

1 Answers1

1

As clarified in the documentation Predefined App Engine roles, the below roles are the ones that can visualize the configs from App Engine:

  • App Engine Admin
  • App Engine Service Admin
  • App Engine Deployer
  • App Engine Viewer
  • App Engine Code Viewer

Outside of the users with one of the above roles, no one should have access to your config files, which includes your config.json with your secrets.

Since this is a security matter, I think adding encryption is always a good idea. This way, you will add an additional layer of security to your application - something that is always good.

In case you decide to go with encryption, I would recommend you to check this post here, where some encryptions and options of how to do it are described and that I believe would help you.

Let me know if the information helped you!

gso_gabriel
  • 4,199
  • 1
  • 10
  • 22
  • thanks gabriel, but from the web, nobody can see the files, which are hosted server-side, correct? – David Apr 14 '20 at 07:33
  • 1
    Hi @David exactly. Nobody should have access to it, since it's stored in the server-side. As long as it's not updated to a more "public" place, like a repository, for example, it should not be a problem. :) – gso_gabriel Apr 14 '20 at 09:32
  • It would be better to use secret manager for API keys that won't change that often. Then you can limit access even further with IAM roles. https://cloud.google.com/secret-manager/docs/quickstart – oittaa Apr 14 '20 at 18:19