0

I'm using Google Cloud Storage and now need to release my platform to a staging site but have no idea where to store the Google service account credentials:

{
  "type": "service_account",
  "project_id": "",
  "private_key_id": "",
  "private_key": "",
  "client_email": "",
  "client_id": "",
  "auth_uri": "",
  "token_uri": "",
  "auth_provider_x509_cert_url": "",
  "client_x509_cert_url": ""
}

I'm guessing they shouldn't be sorted in a private Github Repository and they can't be saved in ENV variables.

I read this article: Google Cloud Functions - How to securely store service account private key when using Google Source Repository?

However, I feel this is overkill and there must be a better way to save the credentials file. Alternatively, are the credentials even secret? Do they need to be secured?

Thanks!

nick
  • 121
  • 1
  • 10
  • Are you essentially asking the same question as that other one you linked to? If so, this question is probably going to be marked as a duplicate - there is no need to collect different answers to the same questions in multiple places. – Doug Stevenson Jun 08 '20 at 16:06
  • that answer is the best answer you will receive. Do what that answer says if you want to keep your workloads secure. Credentials are secret and sacred. – Asdfg Jun 08 '20 at 16:09
  • Does this answer your question? [Google Cloud Functions - How to securely store service account private key when using Google Source Repository?](https://stackoverflow.com/questions/48602546/google-cloud-functions-how-to-securely-store-service-account-private-key-when) – Asdfg Jun 08 '20 at 16:10

1 Answers1

2

Yes, credentials are absolutely something to keep secret. They are a bearer token, which means anyone that has a hold of them can use your project for whatever permissions you've granted. Please don't ever upload them into a GitHub repo or something similar.

The answer to your question depends largely on how/where you're deploying your platform into the Cloud (what products). Many of them, when you deploy, have the option of assigning a service account to the product, which means no need for the credential file itself, the credentials will apply to things run on the product.

For example, if you're deploying to Google Compute Engine, when you deploy the virtual machine, you can assign a service account to it.

It sounds like you might be using Cloud Functions (hence the link you found?), which if that's the case, Cloud Functions when you deploy them also can have a service account assigned to it. When you're creating the function, expand the advanced options at the bottom, and check the Service account dropdown menu just above the Networking section. If you assign the service account you've created in that field, everything run from inside the function will have the permissions you've assigned to the service account.

If it's a different product you're using than GCE or GCF, comment here and I can point you at some resources.

Gabe Weiss
  • 3,134
  • 1
  • 12
  • 15
  • Hi @Gabe, thanks so much for your reply. I will most likely be using either Heroku or Digital Ocean. Could using pipelines also resolve my issue? For example I modify the contents of the credentials .json file before deploying? Thanks in advance! – nick Jun 08 '20 at 16:21
  • Ooh, if you're leavin the grounds of GCP then you want to look at the Secret Manager: https://cloud.google.com/secret-manager – Gabe Weiss Jun 08 '20 at 16:46
  • In addition to Gabe's good answer, if you need to store Google Cloud secrets such as a service account in a different service such as DO or Heroku, you have a problem. You will either need to manually store the JSON file on the instance, or use environment variables. Edit your question of be very specific in which services you are using and which types of secrets you need to protect. Read these links: https://www.digitalocean.com/community/tutorials/an-introduction-to-managing-secrets-safely-with-version-control-systems AND https://blog.heroku.com/ten-ways-to-secure-your-apps – John Hanley Jun 08 '20 at 19:20
  • Thank you both for your help, I'm new around here so I appreciate both your advice and guidance! – nick Jun 08 '20 at 19:51
  • @GabeWeiss - it is also possible to paste the .json file contents into an ENV variable? – nick Jun 08 '20 at 20:08
  • It is possible, yes, but keep in mind, as you're securing your app that in doing so, you're essentially storing your private SSL key (it's in the service account) in plaintext. This is why we don't suggest doing things like that. Sometimes it IS unavoidable, as John mentioned, then you're looking to store the json file on the instance itself or use env vars. Whether you do one vs. the other is largely academic at that point. The credentials are physically on the instance in some way at that stage of the game. The links he provided are excellent starting points to get a feel for things. – Gabe Weiss Jun 08 '20 at 20:10