Add Cloud SQL MySQL connectivity samples for SQLAlchemy. #1828
Conversation
googlebot
added
the
cla: yes
There was a problem hiding this comment.
Very useful sample, I like it. Just a comment regarding where to put the warning about environment variables. It's more that it's not secure to write them unencrypted and then check it into version control. Environment variables are a common way to pass in secrets to applications if they can be set securely.
| export DB_PASS='my-db-pass' | ||
| export DB_NAME='my_db' | ||
| ``` | ||
| Note: Saving credentials in environment variables is convenient, but not secure - consider a more |
There was a problem hiding this comment.
12 factor app might disagree with you for this. https://12factor.net/config
It all depends on how you set the environment variables. Even Kubernetes secrets can be used to set environment variables, and I wouldn't call that "not secure".
Plus, KMS can't help you store your secrets, only encrypt/decrypt them.
There was a problem hiding this comment.
I have to disagree about the security of store secrets in an environment variable. Environment variables are accesible by any process that runs in the user's environment, leaving them vulnerable. Any secret of significant value should not be stored as an environment variable.
While KMS doesn't directly store secrets, they do have a page on how to store secrets using KMS: https://cloud.google.com/kms/docs/store-secrets
There was a problem hiding this comment.
I've update the wording to condone more specifically against condoning plain-text secrets and added it to the app.yaml as well.
cloud-sql/mysql/sqlalchemy/README.md
Outdated
|
|
||
| ## Google App Engine Standard | ||
|
|
||
| To run on GAE-Standard, create an AppEngine project by following the setup for these |
cloud-sql/mysql/sqlalchemy/README.md
Outdated
|
|
||
| ## Running locally | ||
|
|
||
| To run this application locally, download and install the cloud_sql_proxy by |
There was a problem hiding this comment.
backticks around cloud_sql_proxy or use the proper name (Cloud SQL proxy)
cloud-sql/mysql/sqlalchemy/main.py
Outdated
| import sqlalchemy | ||
|
|
||
|
|
||
| # Saving credentials in environment variables is convent, but not secure |
There was a problem hiding this comment.
Ditto. This isn't the worst practice, and might actually offend the 12-factor app developer community. This comment is appropriate in the app.yaml file, though. You don't want people checking secrets into version control.
| env_variables: | ||
| CLOUD_SQL_INSTANCE_NAME: <MY-PROJECT>:<INSTANCE-REGION>:<MY-DATABASE> | ||
| DB_USER: my-db-user | ||
| DB_PASS: my-db-pass |
There was a problem hiding this comment.
Add a comment that storing passwords in version control is not secure. Suggesting you encrypt the password with KMS would be appropriate here.
kurtisvg
force-pushed
the
cloudsql-connect
branch
from
0d7b1be
to
f7794a3
Compare
New sample app in a series of samples designed to highlight connection best practices. The app is a simple web app that allows voting between two different groups ("Tabs" vs "Spaces") and records the votes in a MySQL backend.
Java equivalent is here.