1

It is possible to set limits for the Google API credentials, to limit the access of an API key or token to an specific spreadsheet or folder, so this way those credentials can't access to all the information of the account but only the specify files.

Kos
  • 4,890
  • 9
  • 38
  • 42
jose alvarado
  • 11
  • 2

1 Answers1

0

Sure!

The Google Cloud Platform has robust tools to manage access to all sorts of things, including API credential access.

GCP IAM - Cloud Permissions and Access

You can create a cloud service to send respond with your key, only authorizing certain services to receive/request the key.

Here's the GCP IAM Documentation. Follow their instructions either via the frontend cloud console or command line tools to set a policy for your api key service.

Here's the gist of what you'll do for IAM:

  1. authorize various google apis for your project
  2. create a service account, e.g. my-api-key@see-the-docs-for-google-service-domain
  3. For each of your apps that need the service key, create another service account, i.e. my-app@see-the-docs-for...
  4. give whatever app service accounts your chosen access level/permission for the service account you created for your api key service
    • you're authorizing each app to access the api-key-service
  5. deploy a simple Flask service to send your api-key using your api-key-service account
  6. access the api credentials within your apps which have been given IAM permissions of their own
    • remember, you authorized your apps in step 4

On disk

For credentials stored on disk, it's best to encrypt/decrypt them on demand in app.

See this SO answer. If you encrypt your keys, go ahead and add to version control. Otherwise, avoid.

Secrets Manager or Berglas

However, I recommend you use either the open source Berglas tool or Google's managed Secrets product. You'll essentially give the secrets manager your api key, store it, then fetch it when necessary in-app or at load.

Adapted from the Google Cloud Documentation, almost verbatim:

# Import the Secret Manager client library.
from google.cloud import secretmanager_v1beta1 as sm

# GCP project in which to store secrets in Secret Manager.
project_id = 'YOUR_PROJECT_ID'

# ID of the secret to create.
secret_id = 'YOUR_SECRET_ID'

# Create the Secret Manager client.
client = sm.SecretManagerServiceClient()

# Build the parent name from the project.
parent = client.project_path(project_id)

# Create the parent secret
secret = client.create_secret(parent, secret_id, {
    'replication': {
        'automatic': {},
    },
})

# Add the api key
version = client.add_secret_version(secret.name, {'data': b'my-google-api-credentials'})

# Access the api key
response = client.access_secret_version(version.name)

# Now you have your decoded api credentials you can use for authentication
payload = response.payload.data.decode('UTF-8')

I changed some comments in the above but be sure to check Google's documentation and their github examples.

If you're more adventurous, the Berglas library is fantastic and I use it directly in several projects, via its Go client locally and its docker image within deployed services.

Jason R Stevens CFA
  • 2,232
  • 1
  • 22
  • 28