I'm working on a Python project requiring integration with Google services, and I need to use a creds.json
file for authentication with a Google service account.
I understand the importance of keeping this file secure and not including it in my Git repository or Docker image build process.
The creds.json
has the following structure:
{
"type": "*",
"project_id": "*",
"private_key_id": "*",
"private_key": "-----BEGIN PRIVATE KEY-----*-----END PRIVATE KEY-----\n",
"client_email": "*",
"client_id": "*",
"auth_uri": "*",
"token_uri": "*",
"auth_provider_x509_cert_url": "*",
"client_x509_cert_url": "*",
"universe_domain": "*"
}
In my application, accessing this file is necessary for granting permissions as shown:
credentials = service_account.Credentials.from_service_account_file('creds.json', scopes=SCOPES)
Challenges:
Given these challenges, I am seeking advice on the best practices for securely managing and accessing the creds.json
file in both Docker and Google Cloud Run environments. I'm particularly interested in understanding the correct workflow for including this file in the deployment process without compromising security.
Specifically, my questions are:
How can I include creds.json in my Docker build (if it wrong to do COPY creds.json ./creds.json
in Dockerfile?) and Google Cloud Run deployment securely, ensuring it's neither hard-coded nor publicly exposed?
Are there recommended strategies or tools within the Google Cloud ecosystem (like Secret Manager) that can facilitate secure handling of such sensitive files?
I'm relatively new to cloud-native deployments and would greatly appreciate detailed guidance or references to best practices in this area.
Super easy!! Do not use a service account key file! Problem solved!!
Then update your code
Get the default credential from the runtime context
creds, _ = google.auth.default(scopes=SCOPES)
On Cloud run, use the metadata server and runtime service account
On your local machine, use your own credential directly
gcloud auth application-default login
Or the same service account as Cloud Run use by impersonating it with your own credential
gcloud auth application-default login --impersonate-service-account=<service account email>
If you use your container locally, you can read my article to use your own credential in the local container runtime context