I deploy an Google App Engine application, which reads the Pem key of its service account to create signature. Now I put the key on the Cloud Storage, but I'm not sure it's to be. As another option, the key could be embedded in the application code. Which is safer? Or any other options? Are these idea wrong?
EDIT: If you can upload a separate pem key file solely, how could I do it? How does it is written in your yaml?
Reference: You already upload all files wit app. https://stackoverflow.com/a/12609865/1717563
You can deploy the PEM key as part of your application code, but you need to keep it outside any static directories. You should not include it as string in a code file though, but keep it as a separate file, and then upload the key together with the app.
In earlier versions of GAE you could also prevent download of the application code by other developers in your team. Not sure if this option is still supported. If yes, you should consider it, if there are other devs who have access to your app.
Furthermore, you probably want to exclude the PEM key from your versioning system (e.g. git). I do this by excluding the directory that contains all PEM keys and other secret files. You could have a backup in some other safe place.
Alternatively, you could store the PEM key in GCS, as you suggested too, but it might add a little latency to your app and you would need to take care that the permissions are set correctly (and not accidentally changed in the future). I think this approach is less favorable.