How to properly deploy node apps to GAE with secret keys?

问题

I am exploring GAE with nconf and I'm wondering if the following setup is secured after I deploy an App.

What concerns me is are both my "config.dev.json" and "config.prod.json" files deployed despite including them in ".gitignore".

I am unsure what information is passed along to gae (I don't want my config keys exposed) after I do:

$ git add .
$ git commit -m 'Commiting'
$ glcoud app deploy

My Node App structure looks like this:

 - /myProject
   - /node_modules
   - .gitignore
   - app.js
   - app.yaml
   - config.js
   - keys.dev.json
   - keys.prod.json
   - package-lock.json
   - package.json

// .gitignore

 node_modules
 keys.dev.json
 keys.prod.json

// config.js:

 const nconf = require("nconf");
 nconf.argv().env();

 if (nconf.get("NODE_ENV") === "production") {
     nconf.file("keys.prod.json");
 } else {
     nconf.file("keys.dev.json");
 }
 ...

回答1:

Including files in .gitignore has no implications whatsoever on deployment on GAE, that file is only used by git.

If you want to prevent deployment of a file to GAE you need to use the skip_files option in your app.yaml file's General settings:

skip_files

Optional. The skip_files element specifies which files in the application directory are not to be uploaded to App Engine. The value is either a regular expression, or a list of regular expressions. Any filename that matches any of the regular expressions is omitted from the list of files to upload when the application is uploaded.

For example, to skip files whose names end in .bak, add a skip_files section like the following:

skip_files:
- ^(.*/)?\.bak$

Side notes:

• if I understand correctly, your app uses those files, so it appears to me like you will have to deploy them together with your app.
• even if a file is deployed on GAE it is your app's responsability (and complete control) in deciding if the file is exposed to ouside requests or not.
• if you want to know exactly which files are included in the deployment you can see them displayed during deployment by using the --verbosity option for the gcloud app deploy command.

来源：https://stackoverflow.com/questions/48238273/how-to-properly-deploy-node-apps-to-gae-with-secret-keys