General considerations

When dealing with application secrets, it is important to consider the level of exposure each solution creates. For example, secrets stored on the Compute Engine metadata server must be project-wide to be used by App Engine. This means that any service running on App Engine or Compute Engine, as well as any service able to authenticate against the metadata API, will be able to read these values. For many use cases, this is likely an acceptable level of exposure, but teams should evaluate the risks on a per-secret basis.

Another consideration when dealing with application secrets in App Engine is that these secrets may become readable through the use of the Stackdriver Debugger. If this is a concern, teams should leave debugging and SSH access disabled for all services, and teams should restrict debugging access by only providing users with the Stackdriver Debugger roles as needed roles/clouddebugger.agent and roles/clouddebugger.user.