Reputation: 6354
GCP correct way to access and store password / credentials through Compute Engine's Service Account
"Do not embed secrets related to authentication in source code" - one may hear frequently. Okay, so I use the Key Management Service and Secret Manager.
But then, how do I correctly access secrets stored there from Compute Engine's VM and from my local dev environment?
I can think of either:
Accessing the secrets using the default Service Account credentials, but then how do I access the secrets in the local development environment and inside of my local Docker containers (ie. outside the Compute Engine)?
Accessing the secrets using a custom Service Account, but then I need to store its JSON key somewhere and access it from my code. For that I have two options:
2.1. Store it with the source code, so I have it on dev machine and in the Docker container. But then that goes against the opening statement "Do not embed secrets ... in source code". Bad idea.
2.2. Store it somewhere on my dev machine. But then how do my Docker container accesses it? I could provide the key as Docker secret, but wouldn't that be yet again "embedding in source code"? Upon starting the container on my VM I'd need to provide that secret from somewhere, yet again going back to question of how the secret arrives at the VM in the first place.
I know that Application Default Credentials (ADC) can try to use option 2 and then fallback on option 1 - yet, how do I solve the conflict from option 2? Where should the Service Account credentials reside to be accesible in both my local dev and in a local container - and not embedded in the source code?
Upvotes: 2
Views: 2669
Answers (2)
Reputation: 409
Your Idea with cloud storage is good and workaround your needs; The easiest way to access the secrets stored on Secret Manager from a VM instance will be by curl, gcloud command or python script by "accessing a secret version" then store them as an ephemeral variable in the code it's meant to be used. The service account to use could be CE default service account just keep in mind it has to have secretmanager.secretAccessor and/or secretmanager.admin roles to be able to grab them from SM. Additional make sure the VM instance has the correct API scopes for all GCP resources or at least to security API's.
Upvotes: 0
Reputation: 6354
I found one way to make this work, (sortof):
On local dev env rely on
GOOGLE_APPLICATION_CREDENTIALSto point to the Service Account credentials manually downloaded from the GCP.On local Docker container, provide that same file as a secret. My app then searches
/run/secrets/for it ifGOOGLE_APPLICATION_CREDENTIALSis not set.On Compute Engine VM, download that file from a Google Storage bucket (having previously uploaded it). Given that the default Service Account is used if no other credential is specified, I'm able to
gutils cpthat file from a bucket. Then provide that downloaded file as a secret to the container.
Still, I'm still not sure if that's good from the side of not embedding in the source code. It also feels quite manual with all the uploading and downloading the credentials from the bucket. Any hints on how to improve this authentication most welcome.
Upvotes: 2
Related Questions
- GCP - background/design of having gcloud credentials and default application credentials
- Manage GCP project credentials through API
- GCP service Account Authentication
- GCP Server to Server Authentication with Service Account
- How to set Google Cloud application credentials for a Service Account
- How should I create service accounts for accessing secrets between GCP projects with Google KMS?
- How do I authenticate using a service account in the Google Cloud Platform REST API
- Creating short-lived service account credentials from the GCP Console
- Logging into google compute engine with a service account
- Using service accounts on Compute Engine instances