DEV Community: Ramesh Lingappa

Managing Application Secrets like a Pro using Google Secret Manager

Ramesh Lingappa — Sun, 05 Apr 2020 16:48:25 +0000

At the beginning of last year, I wrote an article titled How to secure and manage secrets using Google Cloud KMS, explaining how we can use Google Cloud KMS (Key Management System) to encrypt secrets and securely use it in our applications.

I mentioned it is a decent approach because of the lack of support for good secret management solutions within the Google cloud ecosystem. It is kind of, a hacky way to get the job done, because,

it requires a lot of code setup
had to keep the encrypted version within version control
no easy way to manage these secrets (like a console UI)

Finally, there is now an easier & better a solution, Google has announced their secret management solution Google Secret Manager.

Huge shout-out to Google Cloud and their team behind this solution 👏👏👏

Secret Manager is a secure and convenient storage system for API keys, passwords, certificates, and other sensitive data. Secret Manager provides a central place and a single source of truth to manage access, and audit secrets across Google Cloud.

Let's get our hands dirty…

Google Cloud Run Service with gRPC using Spring Boot

Ramesh Lingappa — Wed, 01 Apr 2020 09:42:47 +0000

Welcome to another article on Google Cloud Platform. If you are building services using GCP then you might already know the several limitations that come with it. One of them being a lack of support for gRPC in their easy to use solutions such as Google AppEngine (Standard and Flexible), Cloud Functions or in the initial days of Cloud Run.

So if we need to support or have our own gRPC services then we need to use either Google Compute Engine or Google Kubernetes Engine, which is not an easy solution for several small use cases.

An alternate question would be why gRPC? and what benefits does it offer over REST?

If you are new to gRPC, then I highly recommend giving a readout, https://grpc.io. In short,

gRPC is a modern open-source high-performance RPC framework that can run in any environment, efficiently connecting distributed services

gRPC offers several benefits over HTTP APIs with JSON, some of them are,

Strong Contract-based communication
uses improved HTTP/2 protocol
Protobuf (efficient binary message format)
Great support for code generation on several languages

So gRPC is a great fit for communication between microservices.

Going Multi-Regional in Google Cloud Platform

Ramesh Lingappa — Mon, 04 Nov 2019 13:44:36 +0000

For a successful business, it is important to know who your customers are. Knowing your customers helps to understand your business better, build better versions of your ideas, and can make effective decisions for the successful long run. Everyone knows it right!

When it comes to software infrastructure, it remains important. Knowing your customers greatly improves the performance of your application, makes it more resilient, after all, no one likes to wait for the response :)

Okay getting to the point, if your services are being used by a wide range of audiences across the globe, but your servers are located within a single region, then your users from other parts of the world are going to experience high latency resulting in bad user experience. Several case studies are proving why faster response time is very important for business,

Why Performance Matters
Mobile Site Speed Performance,
Google, Amazon, and many other big software giants confirm several milliseconds(ms) increase in latency can degrade user engagement greatly.

Let's go for an example, GCP ping is a simple website which makes a ping request to servers located in various regions, and show result ordered by low latency.

End to End Restful API development using OpenAPI Specification

Ramesh Lingappa — Wed, 23 Oct 2019 09:14:08 +0000

With the increasing number of adoption towards service-oriented architecture and for better integrations with external systems, it became a necessity to write Restful APIs for our services. While building so we might often find several challenges such as,

Standard & Consistent API design
Better documentation
Client Libraries
Playground (better developer experience)

So while writing APIs, we have to make sure it sticks to a standard design principle, update documentation (hosted elsewhere) and finally write client libraries (harder if you have to support multiple languages). Doing all of this manually is a painful job.

Likely we have OpenAPI Specification (formerly known as swagger), which offers us a standard, language-agnostic interface to write RESTful APIs which allows both humans and computers to understand the service capabilities.

AppEngine unit testing made easy with JUnit Rules

Ramesh Lingappa — Fri, 19 Apr 2019 06:23:05 +0000

If you are using AppEngine for hosting your application, then you will be using one or more of their services like Datastore, Memcache, TaskQueues, UserService, etc.

And you will be needing to write unit tests to make sure your application functionality is working as expected with these services. For that, you need to set up some configurations to test these services in your local environment.

How to secure and manage secrets using Google Cloud KMS

Ramesh Lingappa — Tue, 08 Jan 2019 07:03:38 +0000

Let’s jump right in. We all know it’s a bad idea to store application secrets within our code. So why we are storing there it still? Let’s take an example.

We could store those secrets in a file and add it to the gitignore so it’s not added to version control. But there are a couple of hurdles:

How do we manage those secrets?
What happens when the local copy is deleted?
How do we share it with other developers?
How do we manage versioning of those secrets during changes and an audit log of who changed what?
A lot of questions! So we end up storing it within the code, since it’s too much complexity to deal with.

For a big application or application which needs a higher level of security, we can use Production grade secret management services like Hashicorp Vault.

In this article, we will look at a decent approach in dealing with secrets while still achieving better security. We are going to achieve this using Google KMS + Git + IAM + automation.

Dynamic AppEngine Configurations using Gradle Part 2

Ramesh Lingappa — Thu, 29 Nov 2018 15:16:18 +0000

In the previous story Dynamic AppEngine Configurations using Gradle Part 1, we discussed how we can easily deploy to various environments like (prod, stag, test) using simple gradle argument. If you haven’t read before, would recommend to read it before proceeding.

Now let’s take a look at how we can have multiple configuration files(cron.xml, appengine-web.xml, queue.xml) for each of those environments

Read on

Dynamic AppEngine Configurations using Gradle Part 1

Ramesh Lingappa — Tue, 13 Nov 2018 06:21:56 +0000

When working with AppEngine applications, often times we need to work with configuration files like appengine-web.xml, cron.xml, dispatch.xml etc. And also we have multiple environments to deal with like staging, alpha and production.

The problem is we need different configurations for each of those environments for example,

Read On

Auto Detect Environment in Google AppEngine

Ramesh Lingappa — Sat, 03 Nov 2018 05:15:32 +0000

If you were working in a product which is in production or potentially gets to production, then for sure you will be having other environments like Staging, Alpha (and Development of-course) to test your code before deploying it to production

And for each of these environments, you need to set up different Credentials, Configurations and other properties, etc… Eg: ApiKeys, API URLs etc.

Read on

Session Hijacking and how to stop it

Ramesh Lingappa — Tue, 16 Oct 2018 18:06:15 +0000

This story is for beginners and anyone who have minimal idea about cookies (sessions cookies), and not sure how to secure them properly. You don’t have to be a security expert to do that. You just have to understand it then you will know.

Read on

Best practices for building API Keys

Ramesh Lingappa — Tue, 16 Oct 2018 18:02:05 +0000

Hello there, we all know how valuable APIs are, its a gateway to explore other services, integrate with them and build great solutions faster.

Probably you might be having APIs or thinking to build one for other developers to use. As part of it, API needs some form of authentication to access it. There are several authentication standards available already like API Keys, OAuth, JWT, etc.

Read on