Is anyone deploying their application to GCP Compute Engine? I wonder a bit about how you are managing secrets.
Are you fetching from GCP Secrets Manager somehow? If yes, where? In some startup script?
We run on GCP.
As an organization, we use Doppler for shared secrets. During instance boot (cloud-init.yml
) we instruct our instances to download Doppler, install it, and authenticate with a token that is stored in GCP Secrets Manager. We start (and run) our mix release
generated Elixir applications with systemd, and use Doppler to inject secrets at run time.
That looks something like this…
ExecStartPre=/usr/bin/doppler run -- /home/ubuntu/bin/app eval App.Release.migrate
ExecStart=/usr/bin/doppler run -- /home/ubuntu/bin/app start
ExecStop=/home/ubuntu/bin/app stop
This injects the environment variables and runtime.exs
just picks them up as you would expect.
Happy to explain further if you need.
We deploy to GCP instances. The secrets are stored in GCP secrets. We use hush using the GCP secrets provider.
Thanks! We ended up writing a custom Config Provider to use GCP Secrets Manager (similar to Hush).