Reputation: 7951
No GOOGLE_APPLICATION_CREDENTIALS in Cloud Functions deployment
I have a Cloud Function that interacts with Cloud Storage and BigQuery and they all belong to the same project. The usual way that I have followed when deploying Cloud Function from the command line is this:
$ gcloud functions deploy my_function ... --set-env-vars GOOGLE_APPLICATION_CREDENTIALS=my_project_credentials.json
Where my_project_credentials.json is a json key file that contains service account and key to allow access to Cloud Storage and BigQuery.
As this is the way that I have done ever since, what I need is another way in order to avoid this json credentials file altogether (since these interacting services belong to the same Google Cloud project anyway). Is there such a way? I am a bit new with Google Cloud so I am not familiar with in and outs of IAM.
(An additional reason that I need this, is that I have a client that is not comfortable with me as a developer having access to that json key and also he/she doesn't want that json key deployed alongside with Function code. Kindly provide some details on how to this in IAM particularly to BigQuery and Cloud Storage as I don't have control over IAM as well).
Upvotes: 3
Views: 5356
Answers (2)
Reputation: 75900
When you can, and at least when you application run on GCP, you mustn't use service account key file. 2 reasons
- It's a simple file for the authentication: you can easily copy it, send it by email and even commit it in your code repository, maybe public!!
- It's a secret, you have to store it securely and to rotate it frequently (Google recommend at least every 90 days). It's hard to manage, you want redeploy your function every 90 days with a news security file!
So, my peer Gabe and Kolban have right. Use function identity:
- Either you specify the service account email when deploying the function
- Or the default service account will be used (this one of compute engine, with editor role by default. Not really safe, prefer the first solution)
In your code, use the getDefaultCredential (according with the language, the name change slightly but the meaning is the same). If you look into the source code, you will see that the function perform this
- Look if GOOGLE_APPLICATION_CREDENTIALS env var exists. If so, use it
- Look if "well known file" exists. According with the OS, and when you perform a
gcloud auth application-default login, the credentials are stored in different place locally. The library look for them. - Look if the metadata server exists. This link reference compute engine but other environment followed the same principle.
There is no "magic" stuff. The metadata server know the identity of the function and can generate access and identity token on demand. The libraries implements calls to it if your code run on GCP -> That's why, you never need a service account key file, the metadata server is here for serving you this information!
Upvotes: 8
Reputation: 3342
What Kolban said. When you deploy your Cloud Function you can define a service account to use, and then any API calls that use Application Default Credentials will automatically use that service account without the need of a service account bearer token (the json file). Check out the docs here:
https://cloud.google.com/docs/authentication/production#auth-cloud-implicit-nodejs
Upvotes: 2
Related Questions
- Error on google function deploy, service account doesn't exist
- Could not fetch secret while deploying Google Cloud Function
- service account permission issue while deploying cloud function
- Google Cloud Function Authorization Failing
- Cloud Functions IAM Roles: 403 Forbidden
- Unable to deploy google cloud functions
- How to set Google Cloud application credentials for a Service Account
- GOOGLE_APPLICATION_CREDENTIALS not found?
- Google cloud functions cannot deploy
- GCP - Unable to authenticate myself to invoke Google Cloud function