Search code examples
google-cloud-platformgoogle-compute-enginegcloudcredentialsservice-accounts

GCP correct way to access and store password / credentials through Compute Engine's Service Account

"Do not embed secrets related to authentication in source code" - one may hear frequently. Okay, so I use the Key Management Service and Secret Manager.

But then, how do I correctly access secrets stored there from Compute Engine's VM and from my local dev environment?

I can think of either:

  1. Accessing the secrets using the default Service Account credentials, but then how do I access the secrets in the local development environment and inside of my local Docker containers (ie. outside the Compute Engine)?

  2. Accessing the secrets using a custom Service Account, but then I need to store its JSON key somewhere and access it from my code. For that I have two options:

    2.1. Store it with the source code, so I have it on dev machine and in the Docker container. But then that goes against the opening statement "Do not embed secrets ... in source code". Bad idea.

    2.2. Store it somewhere on my dev machine. But then how do my Docker container accesses it? I could provide the key as Docker secret, but wouldn't that be yet again "embedding in source code"? Upon starting the container on my VM I'd need to provide that secret from somewhere, yet again going back to question of how the secret arrives at the VM in the first place.

I know that Application Default Credentials (ADC) can try to use option 2 and then fallback on option 1 - yet, how do I solve the conflict from option 2? Where should the Service Account credentials reside to be accesible in both my local dev and in a local container - and not embedded in the source code?

Solution

  • I found one way to make this work, (sortof):

    • On local dev env rely on GOOGLE_APPLICATION_CREDENTIALS to point to the Service Account credentials manually downloaded from the GCP.

    • On local Docker container, provide that same file as a secret. My app then searches /run/secrets/ for it if GOOGLE_APPLICATION_CREDENTIALS is not set.

    • On Compute Engine VM, download that file from a Google Storage bucket (having previously uploaded it). Given that the default Service Account is used if no other credential is specified, I'm able to gutils cp that file from a bucket. Then provide that downloaded file as a secret to the container.

    Still, I'm still not sure if that's good from the side of not embedding in the source code. It also feels quite manual with all the uploading and downloading the credentials from the bucket. Any hints on how to improve this authentication most welcome.