Google app engine: Best practice for hiding Rails private keys?

I am deploying a Rails application in GAE, whose codes are stored on github.

Obviously, I need to hide my private key and database password.

In Heroku, I can set them in environment variables very easily and beautifully using the Heroku GUI, so it will not be displayed in any source code or database.

What about gae? I cannot install them in app.yaml because:

  • .gitignore is not an option: even I hide the app.yaml file or an alternative json file using .gitignore, I have to save it on my local computer. This means that only I can deploy, and I need to backup myself. It's horrible.
  • Someone says that I can store secret values ​​in a database. But I also want to hide the database password.

Any idea?

+6
source share
1 answer

The safest way to store this information is to use project metadata . In Flexible / ManagedVM, you can access metadata with a simple HTTP request .

From google blog post:

With a compute engine, container, and managed virtual machines, there is a magic URL that you can CURL get metadata about.

ManagedVMs is an old name for what is now called the "AppEngine Flexible Environment". Since you are saying that you are using Ruby on App Engine, you should use Flexible / ManagedVM. Therefore, you should be able to use these "magic URLs".

So, to get the secret code of mysecret application in Ruby, you can:

 Net::HTTP.get( URI.parse('http://metadata.google.internal/computeMetadata/v1/project/attributes/mysecret')) 

(For @joshlf) Here's how to access project metadata in the standard AppEngine environment in Python:

 # Note that the code will not work on dev_appserver, # you will need to switch to some other mechanism # for configuration in that environment # Specifically the project_id will resolve to something # compute engine API will treat as invalid from google.appengine.api import app_identity from googleapiclient import discovery from oauth2client.client import GoogleCredentials compute = discovery.build( 'compute', 'v1', credentials=GoogleCredentials.get_application_default()) def get_project_metadata(metadata_key): project_id = app_identity.get_application_id() project = compute.projects().get(project=project_id).execute() for entry in project['commonInstanceMetadata']['items']: if entry['key'] == metadata_key: return entry['value'] return None get_project_metadata('my_key') 
+2
source

Source: https://habr.com/ru/post/1012885/


All Articles