Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

In the flex environment you can inject secrets at container build time. In App Engine standard I've used a deploy wrapper around ansible vault to do it.


> In the flex environment you can inject secrets at container build time.

Does it mean your secrets are stored in plain text in the container image?

> In App Engine standard I've used a deploy wrapper around ansible vault to do it.

What does the deploy wrapper do? Does it produces an app.yaml file with the secrets injected in it, after having been decrypted by Ansible Vault?


Q: Does it mean your secrets are stored in plain text in the container image?

A: No. It means the secrets are stored as environment variables in the container.

Q: What does the deploy wrapper do?

A: It prompts the developer to input the ansible vault password , decrypts the vault and injects the secrets into the environment.

Generally speaking, I follow the 12-factor approach:

https://12factor.net/


What do you mean by "injecting secrets into the environment"?

You mean a section in your app.yaml like this one:

    env_variables:
      DB_PASSWORD: "this is a secret"
As for as I know, in the Standard and Flex environments, app.yaml is the only way to define environment variables.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: