I want to deploy a web API on Google cloud and for test purposes I would just put the API key in the app.yaml file as an environment variable. Is this a security issue?
CodePudding user response:
It's generally problematic to persist secrets to files. Even if the app.yaml
were inaccessible from the runtime service, you'd still face challenges that it be exposed in build logs and if you inadvertently commit app.yaml
to e.g. github.
For "testing", you can run generally run an App Engine locally. This isn't a perfect replica of the production service but it should be sufficient for testing.
A solution for managing secrets is e.g. Google's Secret Manager. SDKs (encouraged) and the underlying REST API (discouraged) are available.