[hckr1292]

GAE is incredible and poorly marketed. Its the only serverless product I know of that allows me to use whatever server framework I want (flask, rails, spring) but be blissfully ignorant of the underlying VMs. I spent a week looking all the other major alternatives out there, and I don't think GAE has any real competitors. Its just a different kind of serverless...in a really good way.

Having said that, it has some serious shortcomings: baked in monitoring (at least for Python) is much worse than, say, Datadog + Sentry. Additionally, Google doesn't have any great relational serverless databases (which is what I personally want for a regular webapp) -- they do have some solid non-relational databases. Also, no secret store...its very tricky to securely store secrets inside GAE.

To me, the perfect platform for a webapp is GAE + Aurora + some undiscovered secrets store.

[seer]

Recently they’ve introduced Berglas which has been quite nice in handling secrets. You can store things in env variables as just secret names and it “transforms” them transparently for you into real secrets at runtime. And you can keep your env vars safely in version control.

So at least one problems solved.

[judge2020]

Are there any particular downsides you have with storing secrets as environment variables? It's working in my app, albeit configuration is done via the web UI [of elastic beanstalk] to keep secrets out of SCM.

[mjfisher]

Storing secrets in env vars is very common in practice, although it presents a slightly bigger attack surface than using something like Hashicorp's Vault to just pull the secrets into memory.

You can sometimes find debug pages etc for apps and runtimes set up that will show all set environment variables, or have crash monitoring software that will capture env vars and send them elsewhere by default. Those risks can be managed, but having sensitive information not set in the process environment is more 'secure by default'. It also means in the event that someone finds a way to remotely execute code in your process (eval() on an unsantized input, anyone?) it's much harder to dump out secrets.

[jupp0r]

What's your issue with CloudSQL or Spanner?

[koevet]

What's Aurora?

[james_s_tayler]

Aurora Serverless database from AWS.