4

I am deploying my first application on the cloud and I'm trying to setup my env vars.

From what I understand, they are set in the app.yaml file. But if that file is pushed to the repo, it would then contain the secret API keys which is bad..

I could treat the app.yaml the same way I treat the .env but the problem is, how can I set env vars for prod in a CI/CD pipeline?

I am using Cloud Build to run my build pipeline. I am coming from Bitbucket & Heroku and there doesn't seem to be a way to "set" the env vars for the build environment like on those two platforms.

So then, how can I make my .env variables available in my app without taking risks of pushing it on my repo?

Thank you for your help

FrenchMajesty
  • 1,101
  • 2
  • 14
  • 29
  • the recommended method is to use Cloud KMS check this question [GCP kms encrypt env var and passing encrypted key through cloudbuild.yaml to google app engine](https://stackoverflow.com/questions/54698445/gcp-kms-encrypt-env-var-and-passing-encrypted-key-through-cloudbuild-yaml-to-goo) – Methkal Khalawi Jan 21 '21 at 09:14

2 Answers2

0

For those looking, here is how I solved this problem.

I followed the steps outlined in this blog post.

Basically we set variables in the .yaml file, which we then compile into an .env file during the build process. We can set what the value of those variables is via Cloud Build configuration so we can restrict access to them and have them hidden.

FrenchMajesty
  • 1,101
  • 2
  • 14
  • 29
  • This isn't great, it's a bit hacky and manual. You use the exposed environment to get access to the secrets manager automatically, regardless of project setup. There are special Google authorised images for this via App Engine Standard – Oliver Dixon Oct 22 '21 at 14:23
  • @OliverDixon - can you kindly point others like me to documentation/articles on how to do this properly. – Ukor Oct 24 '21 at 00:35
  • When you deploy to App Engine via Standard you can access to the environment and the "Secrets Manager" by default. So there's no need to manually hack environmental variables onto it. This is great to deploying to multiple environments and not thinking about anything. If you use Flex, you have to use an official Google Docker Image, they always change the links so not good to leave it here. – Oliver Dixon Oct 24 '21 at 18:47
-1

I have a 'deploy' script that clones my app.yaml, downloads api-keys from google-secret-manager, and injects them as environment variables into the env_variables section of app.yaml and then runs the deploy command using that new app.yaml instead of the original.

For me this script is a local thing, but i imagine you could do something similar in google-cloud-build

Alex
  • 5,141
  • 12
  • 26