Solved: Re: Where can i save google credential.json?

james8

Hello,

I have a webapi service to deploy in Cloud Run, I'm thinking about how to save the google credential.json?If save in Docker image is not safe enough.Is anybody could tell me how to do?Thanks.

DamianS

Hello @james8 ,Welcome on Google Cloud Community.

You should not use SA keys. Use Workload Identity Federation instead of keys https://cloud.google.com/iam/docs/workload-identity-federation

However, if you must use keys, store their values under Secret Manager https://cloud.google.com/security/products/secret-manager

--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost

View solution in original post

djs_75

but if you provide the permission to this account to secret manager when creating the account and pass the secret as an environment parameter when the container is created (see example I provided) it isn't circular, now if you want the user authenticating to the service to have the role - as Damian recommended you can pass it via the workload identity federation and providing their OIDC or group to pass the role. (it is also outlined here Configure secrets | Cloud Run Documentation | Google Cloud and from MSFT Safe storage of app secrets in development in ASP.NET Core | Microsoft Learn use the environment variable method and read it via API with constructor injection Safe storage of app secrets in development in ASP.NET Core | Microsoft Learn). In C# - here is the package to include to call it based on the environment variable or the invoker service account configured for the service (it is more circular based one the degree of granularity within the application) Secret Manager client libraries | Secret Manager Documentation | Google Cloud

Another example Secret Manager: Improve Cloud Run security without changing the code | by guillaume blaquiere | Goog...

View solution in original post

DamianS

Hello @james8 ,Welcome on Google Cloud Community.

You should not use SA keys. Use Workload Identity Federation instead of keys https://cloud.google.com/iam/docs/workload-identity-federation

However, if you must use keys, store their values under Secret Manager https://cloud.google.com/security/products/secret-manager

--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost

james8

Thanks for reply DamianS.

djs_75

Secrets manager - 1)ensure the invoker service account in Cloud Run has permissions on the secret 2)store the secret in secrets manager and pull in as an environment variable

For an example, Use secrets from Secret Manager | Cloud Build Documentation | Google Cloud

james8

Thanks for reply djs_75.

james8

Finally,When i running this code,I should give another Google service account's credential.JSON,so the question still there.Because i should attach account credential.json also.

How to solve the question?Thanks.

I write the following code:

// Retrieve the secret value from Secret Manager
string projectId = "myproject";
string secretId = "secret";
SecretManagerServiceClient client = SecretManagerServiceClient.Create();

string secretVersionName = $"projects/{projectId}/secrets/{secretId}/versions/latest";

// Access the secret version
AccessSecretVersionResponse response = client.AccessSecretVersion(secretVersionName);

// Extract the SecretVersion object from the response
//SecretVersion secretVersion = response.Payload;//.Name;

// Get the secret value
string secretValue = response.Payload.Data.ToStringUtf8(); //secretVersion.Payload.Data;

// Write the secret value to a temporary file
string tempFilePath = Path.GetTempFileName();
File.WriteAllText(tempFilePath, secretValue);

// Set the environment variable
Environment.SetEnvironmentVariable("GOOGLE_APPLICATION_CREDENTIALS", tempFilePath);

DamianS

Is this C# ? Or which programming language do you use ?

--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost

james8

C#

DamianS

Ouu, I'm not familiar with C#, so I'm not able to help you with this 😞

james8

Hi Damians,

Thanks for your reply.

If other language,i think has same problem with c#.

I put credential.json in SecretManager, and i should create a service account to access SecretManager to get saved credential.json.And i need generate this service account's JSON file to download to set to "GOOGLE_APPLICATION_CREDENTIALS".

But i use SecretManager is for save credential.json, and need other credential.json to access SecretManager, finally i still need save a credential.json with my project, this is my question.

DamianS

Yes, this is circular problem with service account keys. You need credentials to obtain credentials. And yes, you could only grant ServiceAcc1 permissions to obtain specific Vault and then rest of magic could happen after usage of ServiceAccount2 Key, but still. Credentials to credentials ( less scoped to wider scoped). This is why I've mentioned about Workload Identity Federation as a first option.

james8

Thank you so much,I try to use Workload Identity Federation.

james8

Hi Damians,

Can i ask you a question that i have finish setting Workload Identity Federation with Github,and deploy.

Now how to use WIF in my c# code?

Thanks.

DamianS

Well, usage depends on libraries available for you programming language. @djs_75 provided available options for that

djs_75

but if you provide the permission to this account to secret manager when creating the account and pass the secret as an environment parameter when the container is created (see example I provided) it isn't circular, now if you want the user authenticating to the service to have the role - as Damian recommended you can pass it via the workload identity federation and providing their OIDC or group to pass the role. (it is also outlined here Configure secrets | Cloud Run Documentation | Google Cloud and from MSFT Safe storage of app secrets in development in ASP.NET Core | Microsoft Learn use the environment variable method and read it via API with constructor injection Safe storage of app secrets in development in ASP.NET Core | Microsoft Learn). In C# - here is the package to include to call it based on the environment variable or the invoker service account configured for the service (it is more circular based one the degree of granularity within the application) Secret Manager client libraries | Secret Manager Documentation | Google Cloud

Another example Secret Manager: Improve Cloud Run security without changing the code | by guillaume blaquiere | Goog...

djs_75

btw, by default the Cloud Run service uses the compute service account - create a custom service account and give it the roles your application requires to GCP APIs, if the application/service has RBAC built in you'll need to add the logic (As @DamianS stated workload identity services is the easiest or if want it for a specific interface and you handle programmatically then call a separate service account/secret with the constructor)

djs_75

Which Workload Identity Federation is OIDC (Configure Workload Identity Federation with other identity providers | IAM Documentation | Googl...) request so no special package for GCP you can use NuGet Gallery | Microsoft.AspNetCore.Authentication.OpenIdConnect 8.0.6 or a 3rd party IdentityModel/IdentityModel.OidcClient: Certified C#/NetStandard OpenID Connect Client Library for n...

james8

Thank you so much