is my google app engine deployed source code secure?

I'm thinking about good ways to store third party credentials, which basically means there needs to be a secret somewhere, either in code or data. I'm deploying on google app engine.

If the 'secret' was something like

pw_passphrase = sha2(username + 'global-password')
pw_plaintext = aes_decrypt(pw_passphrase, pw_ciphertext)

can I depend on this code never being seen by a non appengine administrator?

...what if the credentials protect something supersensitive like personal financial data, do we still trust it?

(The sha2 bit is excha开发者_Python百科ngable with any other secret pseudo-random function.)

Yes: your source code is secure (as secure as Google can make it), and there's no way for unauthorized third parties to peek.

Also remember to handle exceptions in your code with an error page, or else an exception thrown might uncover your source code to an unsigned user.