Running Django on the App Engine standard environment

Django apps that run onApp Engine standard scale dynamically according to traffic.

This tutorial assumes that you're familiar with Django web development. Ifyou're new to Django development, it's a good idea to work throughwriting your first Django app before continuing.

While this tutorial demonstrates Django specifically, you can use this deployment processwith other Django-based frameworks, such asWagtail andDjango CMS.

This tutorial uses Django 4,which requires at least Python 3.8. App Engine standard supportsPython 3.7 and higher, including Python 3.8.

Objectives

In this tutorial, you will:

  • Create and connect a Cloud SQL database.
  • Create and use Secret Manager secret values.
  • Deploy a Django app to App Engine standard.

Costs

In this document, you use the following billable components of Google Cloud:

To generate a cost estimate based on your projected usage, use thepricing calculator.

New Google Cloud users might be eligible for afree trial.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.
    Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the Cloud SQL Admin API, Secret Manager, and Cloud Build APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

    Enable the APIs

  5. Install thegcloud CLI.

  6. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  7. Toinitialize the gcloud CLI, run the following command:

    gcloudinit
    Note: You can run the gcloud CLI in the Google Cloud console without installing thegcloud CLI. To run the gcloud CLI in the Google Cloud console,use Cloud Shell.

  8. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.
    Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

    Go to project selector

  9. Verify that billing is enabled for your Google Cloud project.

  10. Enable the Cloud SQL Admin API, Secret Manager, and Cloud Build APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

    Enable the APIs

  11. Install thegcloud CLI.

  12. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  13. Toinitialize the gcloud CLI, run the following command:

    gcloudinit
    Note: You can run the gcloud CLI in the Google Cloud console without installing thegcloud CLI. To run the gcloud CLI in the Google Cloud console,use Cloud Shell.
  14. If you haven't already done so, initialize App Engine and select your preferred region:

    gcloudappcreate

Prepare your environment

Clone a sample app

The code for the Django sample app is in theGoogleCloudPlatform/python-docs-samples repository on GitHub.

  1. You can eitherdownload the sample as a ZIP file and extract it or clone the repository to your local machine:

    gitclonehttps://github.com/GoogleCloudPlatform/python-docs-samples.git

  2. Go to the directory that contains the sample code:

    Linux/macOS

    cdpython-docs-samples/appengine/standard_python3/django

    Windows

    cdpython-docs-samples\appengine\standard_python3\django

Confirm your Python setup

This tutorial relies on Python to run the sample application on your machine. The sample code also requires installing dependencies

For more details, refer to thePython development environment guide.

  1. Confirm your Python is at least version 3.8.

    python-V

    You should seePython 3.8.0 or higher.

    Note: If you see a version number starting with "2", you may need to runpython3 instead ofpython. If so, remember to reference your chosen Python installation when runningpython commands.

  2. Create a Python virtual environment and install dependencies:

Download Cloud SQL Auth Proxy to connect to Cloud SQL from your local machine

Note: If you are completing this tutorial from Cloud Shell, this section is not required.

When deployed, your app uses the Cloud SQL Auth Proxy that is built intothe App Engine standard environment to communicate with your Cloud SQLinstance. However, to test your app locally, you must install and use a localcopy of the proxy in your development environment. For more details, refer to theCloud SQL Auth Proxy guide.

The Cloud SQL Auth Proxy uses the Cloud SQL API to interact with your SQL instance. To do this, it requires application authentication through thegcloud CLI.

  1. Authenticate and acquire credentials for the API:

    gcloudauthapplication-defaultlogin

  2. Download and install the Cloud SQL Auth Proxy to your local machine.

    Linux 64-bit

    1. Download the Cloud SQL Auth Proxy:
      curl-ocloud-sql-proxyhttps://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy/v2.20.0/cloud-sql-proxy.linux.amd64
    2. Make the Cloud SQL Auth Proxy executable:
      chmod+xcloud-sql-proxy

    Linux 32-bit

    1. Download the Cloud SQL Auth Proxy:
      curl-ocloud-sql-proxyhttps://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy/v2.20.0/cloud-sql-proxy.linux.386
    2. If thecurl command is not found, runsudo apt install curl and repeat the download command.
    3. Make the Cloud SQL Auth Proxy executable:
      chmod+xcloud-sql-proxy

    macOS 64-bit

    1. Download the Cloud SQL Auth Proxy:
      curl-ocloud-sql-proxyhttps://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy/v2.20.0/cloud-sql-proxy.darwin.amd64
    2. Make the Cloud SQL Auth Proxy executable:
      chmod+xcloud-sql-proxy

    Mac M1

    1. Download the Cloud SQL Auth Proxy:
      curl-ocloud-sql-proxyhttps://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy/v2.20.0/cloud-sql-proxy.darwin.arm64
    2. Make the Cloud SQL Auth Proxy executable:
      chmod+xcloud-sql-proxy

    Windows 64-bit

    Right-clickhttps://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy/v2.20.0/cloud-sql-proxy.x64.exe and selectSave Link As to download the Cloud SQL Auth Proxy. Rename the file tocloud-sql-proxy.exe.

    Windows 32-bit

    Right-clickhttps://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy/v2.20.0/cloud-sql-proxy.x86.exe and selectSave Link As to download the Cloud SQL Auth Proxy. Rename the file tocloud-sql-proxy.exe.

    Cloud SQL Auth Proxy Docker image

    The Cloud SQL Auth Proxy has different container images, such asdistroless,alpine,andbuster. The default Cloud SQL Auth Proxy container image usesdistroless, whichcontains no shell. If you need a shell or related tools, then download an image based onalpine orbuster.For more information, seeCloud SQL Auth Proxy Container Images.

    You can pull the latest image to your local machine using Docker by using the following command:

    docker pull gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.20.0

    Note: The Cloud SQL Auth Proxy uses a repository that supports thegcr.io domain but serves images from Artifact Registry. For more information, seeTransition from Container Registry.

    Other OS

    For other operating systems not included here, you cancompile the Cloud SQL Auth Proxy from source.

    You can choose to move the download to somewhere common, such as a location on yourPATH, or your home directory. If you choose to do this, when you start the Cloud SQL Auth Proxy later on in the tutorial, remember to reference your chosen location when usingcloud-sql-proxy commands.

Create backing services

This tutorial uses several Google Cloud services to provide thedatabase, media storage, and secret storage that support the deployed Djangoproject. These services are deployed in a specific region. For efficiency betweenservices, all services should be deployed in the same region.For more information about the closest region to you, seeProducts available by region.

This tutorial uses the integrated static asset hosting mechanisms in App Engine standard.

Set up a Cloud SQL for PostgreSQL instance

Django officially supports multiple relational databases, but offers the mostsupport for PostgreSQL. PostgreSQL is supported by Cloud SQL, so thistutorial chooses to use that type of database.

The following section describes the creation of a PostgreSQL instance, database, and database user for the app.

  1. Create the PostgreSQL instance:

    Console

    1. In the Google Cloud console, go to theCloud SQL Instances page.

      Go to the Cloud SQL Instances page

    2. ClickCreate Instance.

    3. ClickChoose PostgreSQL.

    4. ForSQL Edition, choose "Enterprise".

    5. ForEdition Preset, choose "Sandbox".

    6. In theInstance ID field, enterINSTANCE_NAME.

    7. Enter a password for the postgres user.

    8. Keep the default values for the other fields.

    9. ClickCreate Instance.

    It takes a few minutes for the instance to be ready for use.

    gcloud

    • Create the PostgreSQL instance:

      gcloudsqlinstancescreateINSTANCE_NAME \--projectPROJECT_ID \--database-versionPOSTGRES_16 \--tierdb-n1-standard-2 \--regionREGION

    Replace the following:

    • INSTANCE_NAME: the Cloud SQL instance name
    • PROJECT_ID: the Google Cloud project ID
    • REGION: theGoogle Cloud region

    It takes a few minutes to create the instance and for it to be ready for use.

  2. Within the created instance, create a database:

    Console

    1. Within your instance page, go to theDatabases tab.
    2. ClickCreate database.
    3. In theDatabase Name dialog, enterDATABASE_NAME.
    4. ClickCreate.

    gcloud

    • Create the database within the recently created instance:

      gcloudsqldatabasescreateDATABASE_NAME \--instanceINSTANCE_NAME

      ReplaceDATABASE_NAME with a name for the database inside the instance.

  3. Create a database user:

    Note: Users created this way get additional database rights. SeeLimit the database user privileges for an alternative method.

    Console

    1. Within your instance page, go to theUsers tab.
    2. ClickAdd User Account.
    3. In theChoose how to authenticate dialog under "Built-in Authentication":
    4. Enter the usernameDATABASE_USERNAME.
    5. Enter the passwordDATABASE_PASSWORD
    6. ClickAdd.

    gcloud

    • Create the user within the recently created instance:

      gcloudsqluserscreateDATABASE_USERNAME \--instanceINSTANCE_NAME \--passwordDATABASE_PASSWORD

      ReplacePASSWORD with a secure password.

Store secret values in Secret Manager

Now that the backing services are configured, Django needsinformation about these services. Instead of putting these values directly into the Django source code,this tutorial uses Secret Manager to store this informationsecurely.

Create Django environment file as a Secret Manager secret

You store the settings required to start Django in a secured env file.The sample app uses the Secret Manager API to retrieve the secretvalue, and thedjango-environ package to load the values into the Django environment. The secret is configuredto be accessible by App Engine standard.

  1. Create a file called.env, defining the database connection string, the media bucket name, and a newSECRET_KEY value:

    echoDATABASE_URL=postgres://DATABASE_USERNAME:DATABASE_PASSWORD@//cloudsql/PROJECT_ID:REGION:INSTANCE_NAME/DATABASE_NAME >.envechoGS_BUCKET_NAME=PROJECT_ID_MEDIA_BUCKET >>.envechoSECRET_KEY=$(cat/dev/urandom|LC_ALL=Ctr-dc'[:alpha:]'|fold-w50|head-n1) >>.env

  2. Store the secret in Secret Manager:

    Console

    1. In the Google Cloud console, go to theSecret Manager page.

      Go to the Secret Manager page

    2. ClickCreate secret

    3. In theName field, enterdjango_settings.

    4. In theSecret value dialog, paste the contents of your.env file.

    5. ClickCreate secret.

    6. Delete the local file to preventlocal setting overrides.

    gcloud

    1. Create a new secret,django_settings, with the value of the.env file:

      gcloudsecretscreatedjango_settings--data-file.env

    2. Delete the local file to preventlocal setting overrides:

      rm.env

  3. Configure access to the secret:

    Console

  4. Click thePermissions tab.

  5. ClickGrant access.

  6. In theNew Members field, enterPROJECT_ID@appspot.gserviceaccount.com, and then pressEnter.

  7. In theRole drop-down menu, selectSecret Manager Secret Accessor.

  8. ClickSave.