I am working a Google Cloud Project and I want to use Jython to connect to custom API. I need to provide Google Service Account credentials in order to authenticate myself, but for security reasons I do not want the information to be easily accessed. I can create a working Controller Service that lets me connect to Google Cloud services.
I have Python code that can carry out the authentication, but the code is designed to be run independently and to load the credentials from a file. This, however, is not possible for me as the credentials should not be visible to people who might have access to the server. So I need to store the credentials somewhere else
Is there a way I could store the service account JSON in NiFi in such a way that I can access it when needed in ExecuteScript or use the Controller Service directly?
The answer to your question is NO. There is no secure method of distributing service account credentials in a file or as a JSON data structure. No matter how much you try to hide, mask or encrypt, it will take me only a few minutes to reverse engineer your obfuscation. Your choice is ease of use or security.
If your code is running on a Google Compute service such as Compute Engine, your code could use the default service account accessed thru metadata. This will prevent the requirement to distribute a service account JSON key file. However, anyone with access to the server can also access the metadata server. This technique is called ADC (Application Default Credentials). This is more secure, but not bulletproof in your use case.
You have not provided enough details for me to recommend an alternative solution. If Google OAuth 2.0 User Credentials can be used, this will provide security and temporary OAuth Access Tokens. However, this is designed for human interaction (authentication).