Hi , If I have an App hosted on a GCE and a DB hosted on a different GCE within the same network , what would be the safest way to authenticate the DB from App ?
Hello! Ben has offered many good ideas, already, but I’ll just add a little to it.
To start with, you will need to authenticate and authorize DB requests through whatever mechanism the particular database supports. For example, each MySQL instance has its own set of users with passwords and capabilities.
But then the question becomes, "How will you transfer that username/password info to the app?" And that is exactly the secrets management question that Ben mentioned. You certainly could use either an object in Cloud Storage or some Compute Engine metadata to make the data available to the instance, but–especially in the case of metadata–you would also want to encrypt that sensitive auth data (i.e. the username/password) and might choose to manage that encryption via Cloud KMS (as Ben linked 🙂 ). If you’re using GKE, you might involve its secrets-handling functionality.
I hope this helps!
Thank you Ben and Mattias