如何将环境变量添加到 Google App Engine

Question

我已将我的 Django 项目部署到 Google App Engine，我需要添加环境变量。

文档说要将它们添加到 app.yaml，但这似乎是一种不好的做法，因为 app.yaml 应该在您的 git 存储库中。

有什么方法可以像在 Cloud Run > Services > Variables & Secrets 中添加环境变量一样向 App Engine 添加环境变量？

Answer 1

Google Secret Manager 于今年春季推出：

• Enable Secret Manager API

• Add the Secret Manager Secret Accessor role to the App Engine SA

• 从GCP Web UI 或以编程方式创建秘密（代码示例来自官方文档）：

def create_secret(project_id, secret_id):
    """
    Create a new secret with the given name. A secret is a logical wrapper
    around a collection of secret versions. Secret versions hold the actual
    secret material.
    """

    # Import the Secret Manager client library.
    from google.cloud import secretmanager

    # Create the Secret Manager client.
    client = secretmanager.SecretManagerServiceClient()

    # Build the resource name of the parent project.
    parent = client.project_path(project_id)

    # Create the secret.
    response = client.create_secret(parent, secret_id, {
        'replication': {
            'automatic': {},
        },
    })

    # Print the new secret name.
    print('Created secret: {}'.format(response.name))

• 使用应用程序中的机密而不是环境变量：

def access_secret_version(project_id, secret_id, version_id):
    """
    Access the payload for the given secret version if one exists. The version
    can be a version number as a string (e.g. "5") or an alias (e.g. "latest").
    """

    # Import the Secret Manager client library.
    from google.cloud import secretmanager

    # Create the Secret Manager client.
    client = secretmanager.SecretManagerServiceClient()

    # Build the resource name of the secret version.
    name = client.secret_version_path(project_id, secret_id, version_id)

    # Access the secret version.
    response = client.access_secret_version(name)

    # Print the secret payload.
    #
    # WARNING: Do not print the secret in a production environment - this
    # snippet is showing how to access the secret material.
    payload = response.payload.data.decode('UTF-8')
    print('Plaintext: {}'.format(payload))

Answer 2

如果您使用的是持续部署过程，您可以重写（或创建）app.yaml 以包含与 CD 构建系统中每个部署目标相关的变量。

我们使用 Bitbucket 管道将几个文件重写为应用引擎的部署过程的一部分。可以在工作区级别（跨多个存储库）、存储库内以及定义的每个部署目标定义变量。这些变量可以被保护，因此它们是不可读的。

build: &build
  - step:
      name: Update configuration for deployment
      script:
        - find . -type f -name "*.yaml" -exec sed -i "s/\[secret-key-placeholder\]/$SECRET_KEY/g" {} +

参考https://support.atlassian.com/bitbucket-cloud/docs/variables-in-pipelines/#Deployment-variables