8

I'm trying to use Google Cloud Vision API with Node and run the application on Heroku. Something very close to this example:

https://github.com/googleapis/nodejs-vision

However, the Google API wants to authenticate by reading a file containing the service account, and location of the file is read using an environment variable. Is there a way to either securely store this file using Heroku, or somehow utilize Heroku Config Vars?

tputkonen
  • 5,579
  • 16
  • 60
  • 88
  • Here's a similar question with some additional answers: https://stackoverflow.com/q/41287108/278800 – Steve K Feb 19 '21 at 21:39

3 Answers3

12

The documentation for the NodeJS Google Auth Library actually provides a complete example on how to load credentials from environment variables. Specifically, it says this approach is recommended when using Heroku-like systems, so I think you should definitely have a look at it.

Once you download the credentials for your service account, with the format below, you can use them by following these steps:

  1. Load the environment variable using process.env['NAME_OF_YOUR_ENV_VAR'];
  2. Parse variable as JSON with JSON.parse(keysVar);
  3. Authorize the requests with the keys using the GoogleAuth.fromJSON() method.

Credentials format:

$ export CREDS='{
  "type": "service_account",
  "project_id": "your-project-id",
  "private_key_id": "your-private-key-id",
  "private_key": "your-private-key",
  "client_email": "your-client-email",
  "client_id": "your-client-id",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "your-cert-url"
}'

You can find a more detailed example on how to use them in the Google Auth documentation I shared in the second link (or also directly here in this example file), so feel free to adapt it to your use case as convenient.

dsesto
  • 7,864
  • 2
  • 33
  • 50
2

@dsesto's answer works well. Previously, another solution was to use a buildpack that read the environment variable then write it to a file, but with the introduction of Heroku dot-profiles, you can actually read the environment variable and write it to a JSON file on dyno startup. This keeps the JSON file out of version control and AFAIK should be secure (someone please correct me if I'm wrong about this).

# .profile
echo ${GOOGLE_CREDENTIALS} > /app/google-credentials.json
David
  • 671
  • 5
  • 10
0

I'd recommend checking out this SO question, it solves the above issue without a lot of the faf that Google want you to go through. https://stackoverflow.com/a/53732919/5037755

Sohil Pandya
  • 755
  • 1
  • 7
  • 19
  • 1
    Created a blog post about it - https://medium.com/@sohilpandya/authenticating-google-service-account-securely-and-with-heroku-a0fdc9da9138?sk=f89a4a0b8730c2048a1e9426b09b6f89 Hope it helps in the future! – Sohil Pandya Apr 05 '20 at 21:32