0

So far I would point GOOGLE_APPLICATION_CREDENTIALS to the file which stores the service-account (SA) credentials for the Firebase SA e.g. GOOGLE_APPLICATION_CREDENTIALS=/path/to/credentials.json.

@Value("${api-key.google.application-credentials}")
private String googleCredentials;


@Bean
public FirebaseApp firebaseApp() throws IOException {

    LOGGER.info("Initializing Firebase.");

    FileInputStream serviceAccount = new FileInputStream(googleCredentials);
    FirebaseOptions options = FirebaseOptions.builder()
            .setCredentials(GoogleCredentials.fromStream(serviceAccount))
            .build();

    if (FirebaseApp.getApps().isEmpty()) {
        return FirebaseApp.initializeApp(options);
    }

    return FirebaseApp.getApps().get(0);
}

Moving towards deployment, I've decided to go with GCPs Secret Manager.

I was wondering if I can read a secret-value "as file" such that the code above works with

api-key:
  google:
    application-credentials: ${sm://GOOGLE_APPLICATION_CREDENTIALS}

as well as

api-key:
  google:
    application-credentials: ${GOOGLE_APPLICATION_CREDENTIALS:google-credentials.json}

or is there another way this should be done?

I know I have the option to just use the raw JSON and create a temporary file which I'd pass to GoogleCredentials.fromStream() but that's just weird. Am I missing something?

Stefan Falk
  • 23,898
  • 50
  • 191
  • 378
  • Where will be run your application? On Google Cloud or elsewhere? – guillaume blaquiere Apr 20 '23 at 14:19
  • @guillaumeblaquiere It's running under Cloud Run. I figured that it might work by setting the resource-id of a secret like `${sm://projects/project-id/secrets/GOOGLE_APPLICATION_CREDENTIALS}` once I manage to get the secret manager working – Stefan Falk Apr 20 '23 at 14:59
  • If you are under Cloud Run, you don't need a service account key file. It's a bad practice. You can use the Cloud Run runtime service account. https://cloud.google.com/run/docs/securing/service-identity – guillaume blaquiere Apr 20 '23 at 15:28
  • @guillaumeblaquiere Am I getting this right? Basically I have to do nothing as the client libraries will automatically access these credentials as they run in the Cloud Run context? – Stefan Falk Apr 20 '23 at 15:39
  • Yes, it's the ADC (Application Defautl Credential) mechanism. On Google Cloud, there is always a metadata server that expose the credential of the current runtime environment. That's why, keys are useless because already loaded in the service context – guillaume blaquiere Apr 20 '23 at 15:43
  • @guillaumeblaquiere Got it. Just re-deployed and so far no complaints except the thing about the [secret manager](https://stackoverflow.com/questions/76064326/gcp-secret-manager-environment-variables-and-secrets-not-resolved-in-spring-boo?noredirect=1#comment134149679_76064326). Thanks a lot! – Stefan Falk Apr 20 '23 at 15:44

1 Answers1

1

Posting this as a community wiki.

As per previous comment:

When using Google Cloud Run, a service account key file is not needed. Client libraries will automatically access the credentials of the runtime environment because of the Application Default Credentials (ADC). Cloud Run has a metadata server that exposes the credential of the current runtime environment. Additional information can be found through this link on Service Identity.

Robert G
  • 1,583
  • 3
  • 13