Search code examples
dockersecuritygoogle-cloud-platformgoogle-cloud-runservice-accounts

How to Securely Manage creds.json for Google Cloud Run Deployment

I'm working on a Python project requiring integration with Google services, and I need to use a creds.json file for authentication with a Google service account.

I understand the importance of keeping this file secure and not including it in my Git repository or Docker image build process.

The creds.json has the following structure:

{
    "type": "*",
    "project_id": "*",
    "private_key_id": "*",
    "private_key": "-----BEGIN PRIVATE KEY-----*-----END PRIVATE KEY-----\n",
    "client_email": "*",
    "client_id": "*",
    "auth_uri": "*",
    "token_uri": "*",
    "auth_provider_x509_cert_url": "*",
    "client_x509_cert_url": "*",
    "universe_domain": "*"
}

In my application, accessing this file is necessary for granting permissions as shown:

credentials = service_account.Credentials.from_service_account_file('creds.json', scopes=SCOPES)

Challenges:

  1. When building a Docker image, the creds.json file isn't included, leading to failures in authentication.
  2. Similarly, deploying the application to Google Cloud Run presents the same issue—the environment doesn't recognize the creds.json file.

Given these challenges, I am seeking advice on the best practices for securely managing and accessing the creds.json file in both Docker and Google Cloud Run environments. I'm particularly interested in understanding the correct workflow for including this file in the deployment process without compromising security.

Specifically, my questions are:

How can I include creds.json in my Docker build (if it wrong to do COPY creds.json ./creds.json in Dockerfile?) and Google Cloud Run deployment securely, ensuring it's neither hard-coded nor publicly exposed?

Are there recommended strategies or tools within the Google Cloud ecosystem (like Secret Manager) that can facilitate secure handling of such sensitive files?

I'm relatively new to cloud-native deployments and would greatly appreciate detailed guidance or references to best practices in this area.

Solution

  • Super easy!! Do not use a service account key file! Problem solved!!

    Then update your code

    Get the default credential from the runtime context

    creds, _ = google.auth.default(scopes=SCOPES)

    On Cloud run, use the metadata server and runtime service account

    On your local machine, use your own credential directly

    gcloud auth application-default login

    Or the same service account as Cloud Run use by impersonating it with your own credential

    gcloud auth application-default login --impersonate-service-account=<service account email>

    If you use your container locally, you can read my article to use your own credential in the local container runtime context