search

GoogleCloudPlatform / elixir-runtime

The community-supported runtime for Elixir on Google App Engine.
https://cloud.google.com/elixir
Apache License 2.0
180 stars 14 forks source link

Secret environment variables #15

Closed sean-clayton closed 6 years ago

sean-clayton commented 6 years ago

Howdy, I was wondering if there were a way to configure environment variables without hard-coding them inside of app.yaml

For example, here is my mix config:

config :my_app, MyApp.Repo,
  username: System.get_env("DB_USERNAME"),
  password: System.get_env("DB_PASSWORD"),
  database: "my_app",
  hostname: System.get_env("DB_HOSTNAME"),
  pool_size: 20

I'd like to be able to be able to modify app.yaml without hard-coding these values since I store my app.yaml in version control and was wondering if there's any possible way of doing this?

dazuma commented 6 years ago

I generally recommend using Elixir's config mechanism as-is, rather than using environment variables for configuration settings. (Mostly because config happens at build time, not runtime, so you risk a lot of confusion by using environment variables like this—if you change environment variable values but the release has already been built, your changes will not have any effect.)

The "Elixir Way" is generally to have a "secret" config file (e.g. prod.secret.exs) that you do not include in version control. Phoenix will set this up for you automatically by default.

If you're looking for a place to put such a file so it gets added at the right time, one approach is to keep it in Cloud Storage. Here's what that might look like. (Caveat: I believe this should work, but I haven't debugged the procedure myself.)

  1. Create a cloud storage bucket for application secrets.
  2. Change the access permissions on the bucket so it grants access only to those who should have access to the secrets. Also grant your project's cloudbuild service account read access. (This is the account that builds your application for app engine—you can find it in the IAM tab in the cloud console; look for a service account with "cloudbuild" in the name.)
  3. Customize build steps for your app and add a step that uses gsutil to download the secrets file into your app's config directory. (When you customize the build steps, note the caveat regarding brunch build.)
  4. You might need to leave a "dummy" copy of the prod.secret.exs file in source control (with dummy values for the secret properties) so your app will still compile in prod. Your custom build step should replace that dummy file with the actual secrets from Cloud Storage.
dazuma commented 6 years ago

Feel free to re-open if you have follow-up questions.