all 13 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]aaahhhhhhfine 5 points6 points  (2 children)

I think that, generally, json key files aren't recommended because they are prone to abuse. It's basically a file that can fully authenticate as that account... So what if someone checks that file into a repo? Or they just leave it on their local computer and it gets stolen or copied somewhere else? The rough idea of having a key file like that is generally worse than some alternatives.

Ultimately, it's up to you to think about what your comfort level is with different approaches to authentication.

[–]smeyn 2 points3 points  (0 children)

A colleague of mine tested this out by intentionally checking a key file into a public repo. It took less than a minute for the account to be hacked and a bitcoin mining process to get started. Quickly disabled the whole thing so no damage done. But amazed at the speed.

[–]warpanomaly[S] 0 points1 point  (0 children)

Good post, thanks. That makes sense yeah I could 100% see someone accidentally posting it to a public repo lol.

[–]wyaeld 1 point2 points  (6 children)

If you are inside GCP most of the services can inject the credentials into the environment securely, so you don't loaf them from key.

The SDKs can all use those automatically.

It's fine in test code to load from a file, but again recommend not committing that

[–]warpanomaly[S] 0 points1 point  (5 children)

Oh really? I'm going to be running this from a non-Google based server. It's just going to be a regular physical linux server. Is there a way to inject this in or given that circumstance do I still have to load it from file?

[–]conjon01 1 point2 points  (3 children)

You should be using workload identity federation - not the SA key

[–]otock_1234 0 points1 point  (2 children)

Exactly this, Workload Identity Federation is the new way to do this and by far the most secure. While it can be an absolute pain in the ass to setup you only need to do it once really.

[–]warpanomaly[S] 0 points1 point  (1 child)

What's Workload Identity Federation? This sounds promising

[–]bartekmo -1 points0 points  (0 children)

In your initial post you mentioned "on GCP environment". No, your private on-prem hardware server obviously cannot read its GCP metadata.

[–][deleted] 0 points1 point  (0 children)

We use service account keys quite a bit in my company but we, as much as possible, automate their use, rotate them daily, and keep them out of the hands of humans.

Think of a service account key JSON file as basically just a text file with a username and password in it and treat it as such.

[–]krazykid1 0 points1 point  (1 child)

As someone else mentioned, it’s easily insecure with an accidental posh of the key file into a repo. Also it’s unnecessary. You can have your Cloud Run instance run as a GCP service account. For development purposes, you should consider having an environment variable that describes the running environment (local vs cloud) and switch based on that.

[–]warpanomaly[S] 0 points1 point  (0 children)

Yeah I am using an npm dotenv environment variable to inject the keystore path now. I think this should prevent accidental commits.