[frabcus]

While you're here...

It's really unclear from this what the security best practice is for where to put the Cloud SQL password.

Do we just assume the password is public info and rely on IAM?

This discusses really clunky methods to use the legacy datastore or a bucket to store a password.

https://stackoverflow.com/questions/22669528/securely-storin...

Seems odd when competitors (Heroku, Beanstalk) have a special system for keeping environment variables with the password in.

[oomkiller]

At this point I believe Google has a deep aversion to storing secrets in environment variables. The best way I have found so far is to use Cloud KMS to encrypt the credentials and have the deploy process be able to fetch and decrypt them on the fly. Some folks also store that and other config in Datastore, although I think that's really clunky. You can also use Google Cloud KMS-backed Hashicorp Vault: https://cloud.google.com/solutions/using-vault-for-secret-ma...