0

I have an App Engine that runs a flask app which hits an API endpoint and that needs an API key. I wanted to add it to an environment variable in the app.yaml file but then it would be visible in git.
I do not want to use secrets manager as this App Engine will be triggered a lot, meaning a lot of cost will be incurred that I want to avoid. So this solution doesn't work.
Is there any way I can add an environment variable to the app engine like how we can for Cloud Function and Cloud Run?

Nissan
  • 466
  • 1
  • 4
  • 12
  • All solutions there don't tell you how you can set it as an environment variable. They mostly seem to be a variation of the Secrets Manager solution. – Nissan Jul 02 '21 at 08:01
  • There is a third-party solution for this: [environment variable compiler](https://github.com/marketplace/actions/gae-environment-variable-compiler) – Farid Shumbar Jul 02 '21 at 10:00
  • @Nissan. If you downvote my answer, no problem, just let me know what's the problem with it. Why does it not match your requirements? – guillaume blaquiere Jul 02 '21 at 13:30

1 Answers1

1

Even if you don't primarily want, Secret Manager is the solution!

Firstly, Secret Manager is not so expensive to access secret ($0.03 for 10,000 access). That means you need to start 10,000 app engine instances to pay only $0.03!

Why so few? Because, when you read 1 time the secret, your API Key, you can keep it in memory in a global variable (singleton pattern). Like that, Load it only once at instance start, and then use it many time, up to the instance is offloaded.

Note: If you start 300 instances per day, other costs will be much more higher that the $0.03 of Secret Manager

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • Hey, I wasn't the one who downvoted the answer. It's just that I wanted to avoid more API calls in my program as much as possible because it needs to be very performant. Every millisecond matters. – Nissan Jul 04 '21 at 02:12
  • 2
    Is the performance more important than the performances? You ask the secret only once, at startup, not at every calls. In addition, is performance matters don't use a serverless product that scale to 0. In addition, you don't manage the network layers, routing and security, that are, most of the time, less efficient that a raw IaaS infra. If millisecond matters, you design should be wrong! – guillaume blaquiere Jul 04 '21 at 17:56
  • Hmmm are you saying App Engine is not the way to go then? I do agree with your suggestion to ask the secret only once at boot. That is what I ended up doing at the end. – Nissan Jul 08 '21 at 16:12
  • If you target the performance, having a service that start and stop at any time, and therefore to have few request with high latency (due to instance start, also named cold start) it's not the good solution! – guillaume blaquiere Jul 08 '21 at 18:22
  • The traffic on the service will be continuous throughout 24 hours, and I can set the minimum instances to 1. Wouldn't that negate the cold start problem? – Nissan Jul 09 '21 at 05:39