If i deploy a config with secrets to Google App Engine, who can exactly read this config?
For instance, i have a config.json, which holds API secrets, which i don't want to let anyone see. Who could potentially see this file?
The reason for this question is, if it's worth using some key encryption services for the config file.
As clarified in the documentation Predefined App Engine roles, the below roles are the ones that can visualize the configs from App Engine:
App Engine Admin
App Engine Service Admin
App Engine Deployer
App Engine Viewer
App Engine Code Viewer
Outside of the users with one of the above roles, no one should have access to your config files, which includes your config.json with your secrets.
Since this is a security matter, I think adding encryption is always a good idea. This way, you will add an additional layer of security to your application - something that is always good.
In case you decide to go with encryption, I would recommend you to check this post here, where some encryptions and options of how to do it are described and that I believe would help you.
Let me know if the information helped you!
Related
I'm trying to use a subdomain to serve a matching version id with Google App Engine and Google Apps. I've gone through the documentation but it's still unclear to me.
On this page regarding custom domains, it says I'm in a special case for using Google Apps. test.example.com -> to load "test" version of the application.
https://cloud.google.com/appengine/docs/domain -
Note that the instructions on this page are for App Engine apps that use an ordinary HTTP connection and are not served through Google Apps. Here are some related procedures that require different instructions:
This leads me to here https://support.google.com/a/answer/91080
It looks like the only way to add this subdomain in Google Apps is the Sites URL field.
Will the Sites URL correspond to the App Engine version ID?
You only need to use Google Apps to map an appengine app to a domain if you need https. Right now, Google Apps is the only way you can upload an SSL cert - hence this restriction.
If you do map your appengine app to a domain through google apps, you can do what you want by using wildcard subdomain mapping. Read more here..
The whole process is tedious, slow, and painful, and thats only when its not confusing, so put aside a good few hours to make all the changes and wait for DNS to propagate.
I have been trying to find a solution to accessing a datastore in one project from a different google app engine project. I went through the tutorial on accessing a datastore from a different project's compute engine, however, this is not what I am looking for. What is required here is accessing a datastore on one project from a different app engine project. Has anyone done this successfully? Any ideas?
Cheers
As #Patrice says, this is possible by using the Remote API for Java (or for Python), which lets you access different App Engine services from any other application, as stated in the documentation.
For a more specific information on how to access the Datastore remotely with the Remote API, please take a look at this article from the documentation that explains step by step all the procedure.
Please, take into account that if your Google account is configured to use 2-Step Verification, you will need an App Password that authorizes the app to access your account resources.
there is actually an API that lets you make calls to App Engine services from anywhere, even from another App, as long as the credentials are ok, it's called the "remote API"
I'm trying to setup Google App Engine with custom domain and SSL.
I've added the certificates to Google Apps and added the custom domains to Google App Engine.
I can successfully access http://domain.com and https://domain-com.appspot.com but when I try to access https://www.domain.com I got the following error: This webpage is not available
The domain is lonardiDOTorg
Any suggestions?
After some research, my findings show that this isn't supported for the moment being.
Issue 10802 on the Google App Engine issue tracker seems to confirm that it isn't yep available at the moment.
This stackoverflow post seems to contain the different workarounds that other users have used.
I hope this helps.
It is very challenging to help with this kind of issue without being able to inspect the domain and app itself.
Are there any privacy concerns in sharing the domain name so that we can see if the page is being returned by Google or by your DNS provider? It may be possible that the DNS records aren't set correctly.
Keep in mind that as this configuration is done on the Google Apps side, the Apps team may be able to assist if you have a Apps for Business account. This could help get assistance without sharing any information.
Apps Help Center: https://support.google.com/a/answer/2644334
Apps Contact Page: https://support.google.com/a/answer/2644334#contact=1
How do I ensure that only a specific Google App Engine project can communicate with another web endpoint located in an other GAE Project.
I want to lock communication between App Engine Projects.
What would be the best way to accomplish this ?
The best way would be to make use of the request header X-Appengine-Inbound-Appid within your App Engine web endpoint application to assert the identity of your specific App Engine app that should be allowed to communicate. This header is added to the request by the URLFetch service and is not user modifiable.
Detail documentation can be found at https://cloud.google.com/appengine/docs/python/appidentity/#Python_Asserting_identity_to_other_App_Engine_apps
Not tested, but I thought application itself is admin, so how about like this?
Add login: admin to all handlers in app.yaml
Go to Google Developer Console, project -> Permissions, then Add project account which you want to communicate with into service accounts.
I hope it works.
I have a domain I bought (via godaddy.com) - let's call it xyz.com
I have an gae app - let's call it xyzweb.appspot.com
I added a masked redirect at godaddy dns management console and now xyz.com gets redirected to xyzweb.appspot.com (even though the address bar shows xyz.com)
This stops working well in some cases like when I give a direct url redirect like href='/static/url/tohelppage.html' or when I attempt to redirect for OAuth authorization. So I read other posts on what I need to do and the most referred one was https://developers.google.com/appengine/docs/domain.
Based on that page it appears that it is necessary to sign up for a new Google Apps account with the new domain name?
So I Have to pay for Google Apps separately beyond what I am paying for Google AppEngine?
And also manage a separate apps domain and its services? I already have google apps domains and this seems more overhead to run a small app on gae.
Could you please help me understand if I've understood this right? And if there is a way to avoid the additional overhead of an extra google apps account?
The way that I do this, is I set up a basic google apps account (which is free), and I link the GAE app to my google apps account. Then you can set google apps to alias "www" to the appengine app, and now your appengine app works on www.yourdomain.tld
It's explained more here, which I know you already looked at, but it explains it well. Try reading it again.