Closed ahinh43 closed 2 years ago
After some initial searching, I'm not seeing much that connects GAE to GCP secrets manager on startup for env variables. This might need to be a small Node startup script.
I agree, I think we should also pursue the startup route. We'll essentially need these 2 things:
/production/content-library/OAUTH_CLIENT_ID
) and sets it in the running app's environment variablessome starter Node code here: https://stackoverflow.com/questions/70435880/how-to-connect-google-app-engine-with-secret-manager-to-postgres
Terraform changes for GAE service account:
Role name: roles/secretmanager.secretAccessor
In Dev, needs to go on content-library-development@appspot.gserviceaccount.com
In Prod, needs to go on content-library-viewer@appspot.gserviceaccount.com
Would we call this ticket done?
yes!
Ideally we'd like to avoid baking sensitive information to our application deployment at rest. Is there a way to securely pull in environment variables and secrets to app engine's application securely?
Ideal solutions