Reputation: 5739
Use Google service account securely with Heroku
I'm trying to use Google Cloud Vision API with Node and run the application on Heroku. Something very close to this example:
https://github.com/googleapis/nodejs-vision
However, the Google API wants to authenticate by reading a file containing the service account, and location of the file is read using an environment variable. Is there a way to either securely store this file using Heroku, or somehow utilize Heroku Config Vars?
Upvotes: 8
Views: 4592
Answers (3)
Reputation: 681
@dsesto's answer works well. Previously, another solution was to use a buildpack that read the environment variable then write it to a file, but with the introduction of Heroku dot-profiles, you can actually read the environment variable and write it to a JSON file on dyno startup. This keeps the JSON file out of version control and AFAIK should be secure (someone please correct me if I'm wrong about this).
# .profile
echo ${GOOGLE_CREDENTIALS} > /app/google-credentials.json
Upvotes: 2
Reputation: 755
I'd recommend checking out this SO question, it solves the above issue without a lot of the faf that Google want you to go through. https://stackoverflow.com/a/53732919/5037755
Upvotes: 0
Reputation: 8178
The documentation for the NodeJS Google Auth Library actually provides a complete example on how to load credentials from environment variables. Specifically, it says this approach is recommended when using Heroku-like systems, so I think you should definitely have a look at it.
Once you download the credentials for your service account, with the format below, you can use them by following these steps:
- Load the environment variable using
process.env['NAME_OF_YOUR_ENV_VAR']; - Parse variable as JSON with
JSON.parse(keysVar); - Authorize the requests with the keys using the
GoogleAuth.fromJSON()method.
Credentials format:
$ export CREDS='{
"type": "service_account",
"project_id": "your-project-id",
"private_key_id": "your-private-key-id",
"private_key": "your-private-key",
"client_email": "your-client-email",
"client_id": "your-client-id",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "your-cert-url"
}'
You can find a more detailed example on how to use them in the Google Auth documentation I shared in the second link (or also directly here in this example file), so feel free to adapt it to your use case as convenient.
Upvotes: 12
Related Questions
- Google service account to verify API requests to node application on GCP
- How can I use Google default credentials on Heroku without the JSON file?
- Google OAuth verification of Web App with Heroku
- Setting Heroku Config Var with contents from Google Cloud Service Account Keyfile
- How to set an environment variable for google credentials in a heroku app
- Unable to login with Google OAuth when deployed to Heroku
- How to set Google Credentials to call Google API from Python app on Heroku
- Using Nodemailer with Google OAuth
- Authenticating Google Sheet API on Heroku using NodeJS
- Add Google API keyfile to Heroku