Hi , If I have an App hosted on a GCE and a DB hosted on a different GCE within the same network , what would be the safest way to authenticate the DB from App ?
2 Answers
Hello! Ben has offered many good ideas, already, but I’ll just add a little to it.
To start with, you will need to authenticate and authorize DB requests through whatever mechanism the particular database supports. For example, each MySQL instance has its own set of users with passwords and capabilities.
But then the question becomes, "How will you transfer that username/password info to the app?" And that is exactly the secrets management question that Ben mentioned. You certainly could use either an object in Cloud Storage or some Compute Engine metadata to make the data available to the instance, but–especially in the case of metadata–you would also want to encrypt that sensitive auth data (i.e. the username/password) and might choose to manage that encryption via Cloud KMS (as Ben linked 🙂 ). If you’re using GKE, you might involve its secrets-handling functionality.
I hope this helps!
Mattias
Thank you Ben and Mattias
No problem! 🙂
On AWS I would probably use the Parameter Store, or possibly Secrets Manager to store the database credentials for use by the App on the instance. However, I’m not finding the equivalent on Google Cloud. There are instructions to store secrets in Cloud Storage encrypted with KMS. This could be an option to avoid storing the database credentials on disk or in source code. I don’t know if this is best practice, but you could also store credentials in the instance metadata. https://cloud.google.com/kms/docs/store-secrets