问题
If I had credentials I need to store in Google Compute Engine or Google App Engine for use at build time, how should I store them? Is there something better than storing them in code, or in a bucket?
回答1:
One option is to encrypt the secrets with a key from Cloud KMS, and store them either in a storage bucket or keep them in the binary. This lets you manage permissions and logging on the key, to indirectly manage who accesses the secret.
回答2:
As of December 2019, you should store secrets with Google Secret Manager:
$ echo "ABC1234..." | gcloud beta secrets create "my-api-key" \
--data-file=- \
--replication-policy "automatic"
You can use the Secret Manager REST APIs to access secrets, or a client library.
来源:https://stackoverflow.com/questions/41597874/how-should-i-store-secrets-for-use-in-google-cloud-platform