Cloud Key Management Service (KMS)

A more robust approach to managing App Engine secrets is through the use of Cloud KMS, which is Google's key management service. Cloud KMS provides tools to generate, store, and rotate encryption keys. Cloud KMS does not expose private keys directly. Instead, encryption is performed on the client's behalf through the Cloud KMS API. As a result, applications can use KMS to encrypt and decrypt data stored virtually anywhere. For example, a team can encrypt application secrets using the KMS API. Encrypted secrets can then be stored in Cloud Storage, datastore, version control, or anywhere else. Note that because the encrypted value can be stored anywhere, this approach can be used for much more than simple application secrets.

When done correctly, this approach can be very secure, and because this approach is not App Engine-specific, it is portable across Google Cloud products. There are, however, several considerations to make when evaluating this approach. For example, because Cloud KMS does not directly expose private keys, developers will need to adapt their services to delegate encryption.