Reputation: 5136
I have a google app engine app that uses a service account to subscribe users at an associated Google Apps Domain to particular calendars.
I can get this working in my development environment by downloading the service account private key and then using that to authenticate.
But I am hesitant to upload the private key as part of my production deployment. Is that the best practice? Is there a better way to authenticate an App Engine service account to a Google Apps Domain that doesn't involve uploading my private key? What is the appropriate best practice?
Upvotes: 5
Views: 604
Reputation: 581
If you are able to enable IAM API, then you can auto generate private key. I could find some workaround.
Authenticate service account without downloaded key on google app engine
Upvotes: 0
Reputation: 5478
App Engine applications in production come with a specific service account provided by the Identity service, but it does not allow you to impersonate a user the way regular service accounts do.
As a result, your best option is to upload the private key. For obvious security reasons it is better to :
As a result, the best practice is to write a simple HTTP interface that will allow you to upload the private key and store it in the Datastore, along with the client id and client email.
Upvotes: 4