0

I've tried to use GCPs Secret Manager in a Winforms C# app I'm creating but I need credentials.json to access the Secret Manager in the first place. This is fine for development but not in production. Perhaps I shouldn't be using a secret manager at all.

Currently I have a local C# winforms app, the user (a customer not admin) using the app locally can select files from the Windows filesystem and upload these files to Google Cloud Storage bucket. I don't have a server at all but if I should I'm not sure what sort of logic should be inside it.

From the comments I think the server should be the middle man that the user logs into, user gets a token and then the user can upload files to gcloud storage bucket via the server using the token. That way I never really give the user a credentials.json file in the first place.

For this architecture I thought I should use a Service Account because the server would be making the gcloud storage bucket upload calls on behalf of an authenticated user but then i see from John Hanley that User Credentials are assumed to start in an insecure environment and I'd want to have the info of "what user did what" in the audit logs.

In my development build I'm storing credentials.json outside of my project directory and pointing to it using environment variables. This works but this answer suggests I encrypt it using Google KMS and decrypt in the application.

In the comments I see that this is not really secure because the Service Account credentials could be exposed.

As per this answer dlls can be decompiled to equivalent C# code, so anybody would be able to see what I've used to decrypt the key.

  1. So now I want to know what architecture should I be using in production and how to make it secure?
  2. I'm thinking of making a GAE instance that stores user information in a database, gives authenticated users a token and uses this token when making calls to upload to gcloud storage bucket. Is this sufficient for a production app?
kenshima
  • 401
  • 4
  • 12
  • 1
    Does a user 'log in' to your application? If so, then at that point, there should be a call to your 'server' to get the a token to use your service. At that point, all the user has, is a token that means nothing except to access your API. No local credentials are required. – Neil Jan 22 '21 at 15:03
  • @Neil Ah so the user logs in from the local app to a server that authenticates with GCP? What kinda logic goes on the server? Just basically authenticating the app to use GCP and any other things I need to do with GCP like upload to cloud? – kenshima Jan 22 '21 at 15:26
  • Decrypting credentials inside your app is not secure. Script kiddies can break this and will do it just for fun. Then you will have a service account exposed on the Internet. Edit your question with more details. Where and who is using this application. Why does your app require a service account? Is this a client/server design? A lot more information is required to help you with a secure and deployable solution. – John Hanley Jan 22 '21 at 17:37
  • John Hanley, I've added all the necessary information. Let me know if this is sufficient please. – kenshima Jan 23 '21 at 12:18

1 Answers1

0

So I think I'm mainly supposed to use Secret Manager with Service accounts and one of GCPs engines (GAE or GCE) by using the Application Default Credentials instead (please correct me if I'm wrong).

No, you should use a custom service account with the permissions you need when running your workload. You should not store service account credentials in Secret Manager.

sethvargo
  • 26,739
  • 10
  • 86
  • 156
  • sorry that was rather vague, I've used Secret Manager in another app. I thought it could be used here as well. I want to authenticate my local winforms app to be able to upload to gcloud storage buckets in production but obviously don't want to give the user a key. I followed [this link](https://cloud.google.com/docs/authentication/end-user) to get started – kenshima Jan 22 '21 at 16:03
  • Who is performing the upload when running the app? Is the user performing the upload or is the user? What should appear in audit logs? – sethvargo Jan 22 '21 at 22:06
  • sethvargo I think the user would initiate the upload but then the server (to be implemented) would actually perform the upload. – kenshima Jan 23 '21 at 12:20