6

Google Cloud Platform doesn't describe how to deal with environmental variables in your app.yaml.

Starting up with GCP and Google App Engine, I read about setting my config variables in app.yaml which makes sense in a way, but I don't want to put my password/secrets/keys/etc in my GIT repository.

Presuming that @Google's engineers are smart enough to not want this either, I'd guess that the best practise would be to put app.yaml in .gitignore.

Executing gcloud app deploy results in a perfectly working app. But it still it remains an unfinished issue to me and I strongly believe there should be a article somewhere that describes what the best practise is.

Can someone confirm that:

  1. putting app.yaml in .gitignore, and then,
  2. set my secrets in app.yaml, and then,
  3. performing gcloud app deploy

is the way to go?

HJW
  • 342
  • 3
  • 13
  • 1
    Have you looked at the document here? https://cloud.google.com/ruby/rails/appengine#deploy-to-app-engine – demir Aug 11 '19 at 13:53
  • 1
    Hey @PawelCzuczwara you are right. I posted a detailed answer. – demir Aug 13 '19 at 02:12
  • Hi @PawelCzuczwara and @demir, thanks for your answers, but this is exact the document that got me stuck and the cause to ask this question. It explains in detail how to setup `app.yaml` but t doesn't explain how to cope with secrets in relation to version managament – HJW Aug 14 '19 at 10:29

2 Answers2

2

You should use rails environment variables.

Before Rails 5.2

You can use dotenv

With Rails 5.2

You can use both dotenv and rails credentials.

With rails credentials:

  1. Add secret_key_base variable to the credentials file.

  2. Use secret_key_base variable in the app.yaml file:

    env_variables:

  SECRET_KEY_BASE: <% = Rails.application.credentials[:secret_key_base] %>

Google's configuration document

Rails credentials

EDIT

Adding and updating environment variables for Google Cloud Platform

demir
  • 4,591
  • 2
  • 22
  • 30
  • This indeed is a solution that works. However, the article doesn't mention anything about security (e.g. putting `app.yaml` in `.gitignore` to prevent the secret being pushed into version control), and this is what confuses me. Perfoming `gcloud app deploy` publishes the `ENV` variables literally in the deploy logs. It is hard to believe this is a best practise since all passwords and secrets are published at that moment. At other PAAS services such as Heroku have the opportunity to enter the `ENV` variables manually and therefore preventing to putting your secrets all over the internet. – HJW Aug 14 '19 at 10:40
  • Google Cloud Platform is [secured on many layers](https://cloud.google.com/security/), so I do not understand in what situation it could be your concern?. – Pawel Czuczwara Aug 14 '19 at 10:46
  • If you push your `app.yaml` to your version control, than your secrets are publicly available. One could say: then don't publish them (e.g by putting `app.yaml` in `.gitignore`) but then still the logs created while deploying the app publish the secrets. – HJW Aug 14 '19 at 11:38
  • @double_u1 I've added a link to the related document. Can you check the answer? – demir Aug 14 '19 at 21:56
1

I would suggest you rather than put your config to app.yaml file to use something like config server spring boot example, that you'll easy setup to fetch you config parameters from git, or database or vault(for sensitive data). Also you could consider store you parameters in appengine memcache on in some storage like datastore.

For now in our project we're just appending app.yaml with env_variables section in one of our pipeline's steps before deploying. Using Teamcity for build, Vault for storing secrets. Teamcity has build in Vault integration. But I'd like to change it to use config server in nearest future.

Rinat Suleimanov
  • 517
  • 4
  • 9
  • 1
    Thanks, this is a really nice solution! Still I'm surprised that Google doesn't seem to have a solution for this. – HJW Aug 14 '19 at 10:53