How to manage google app engine service account private keys?

Question

I have a google app engine app that uses a service account to subscribe users at an associated Google Apps Domain to particular calendars.

I can get this working in my development environment by downloading the service account private key and then using that to authenticate.

But I am hesitant to upload the private key as part of my production deployment. Is that the best practice? Is there a better way to authenticate an App Engine service account to a Google Apps Domain that doesn't involve uploading my private key? What is the appropriate best practice?

Answer 1

If you are able to enable IAM API, then you can auto generate private key. I could find some workaround.

Authenticate service account without downloaded key on google app engine

Answer 2

App Engine applications in production come with a specific service account provided by the Identity service, but it does not allow you to impersonate a user the way regular service accounts do.

As a result, your best option is to upload the private key. For obvious security reasons it is better to :

• Use different service accounts across environments (one for dev, one for testing and one for production)
• Store the private keys separately from the code, at least the production and testing ones.

As a result, the best practice is to write a simple HTTP interface that will allow you to upload the private key and store it in the Datastore, along with the client id and client email.