Investigate methods to securely pull secret credentials/variables to GAE

[ahinh43]

Ideally we'd like to avoid baking sensitive information to our application deployment at rest. Is there a way to securely pull in environment variables and secrets to app engine's application securely?

Ideal solutions

• Hook GAE to GCP secret manager and present the secrets to app engine as an environment variable
• Create a small startup script that queries the secret manager API in the code which then pulls the key values and sets it as environment variables, then start the rest of the application

[gunsch]

After some initial searching, I'm not seeing much that connects GAE to GCP secrets manager on startup for env variables. This might need to be a small Node startup script.

[ahinh43]

I agree, I think we should also pursue the startup route. We'll essentially need these 2 things:

1. A startup script that runs before the main library app that grabs secrets based on a prefix (i.e /production/content-library/OAUTH_CLIENT_ID) and sets it in the running app's environment variables
2. IAM modifications to the GAE service account so it has permissions to access the secret manager API

[gunsch]

some starter Node code here: https://stackoverflow.com/questions/70435880/how-to-connect-google-app-engine-with-secret-manager-to-postgres

[gunsch]

Terraform changes for GAE service account: Role name: roles/secretmanager.secretAccessor In Dev, needs to go on content-library-development@appspot.gserviceaccount.com In Prod, needs to go on content-library-viewer@appspot.gserviceaccount.com

[gunsch]

45 did part of this

[zenkimoto]

49 also did part of this.

Would we call this ticket done?

[gunsch]

yes!