谷歌云应用引擎上nodejs应用的秘密管理

Question

I had a talk with a friend today about a project his startup is doing. It is a nodejs application with a mongodb backend hosted on Google Cloud App Engine. To my horror I saw that he has stored secrets such as API keys and database keys in his git repo.

I come from an Azure and .NET background so I am used to using Azure Key Vault, and don't know what is the preferred way of doing it in GAE. I have tried to read the docs but there are a lot of options and none seems to quite mirror what I am used to in Azure.

I would like to help my friend out.

So could anyone please point me towards what product I should read up on. Is it Hashicorp Vault, Google Cloud HMS or Berglas? My needs are that the vault needs to be able to store secrets encrypted and the nodejs app should not need to worry about authenticating with the vault. The vault should just allow the service account to read secrets.

If the vault can also fit into a Terraform setup where we can provision all resources and at provisioning also generate the secrets needed and then put them into the vault without any human ever laying eyes on that secret, then that would be really awesome. That way we could also create a setup where he would be able to provision a full disposable environment based on a feature branch. But that is just a nice to have.

Answer 1

Based on the fact that you want to use Terraform as well, I would suggest using HashiCorp. There is a blog post about the combination of those 2 from Google. In general, all those solutions that you mentioned in your question are viable and you can find more here .