How to store GOOGLE_APPLICATION_CREDENTIALS in an AWS ECS environment on Fargate?

Question

We have an API app that uses Firebase Admin to send messages to devices. Earlier, we used to specify the service account key using environment variable like GOOGLE_APPLICATION_CREDENTIALS="path_to_file.json". But now, since we are shifting to AWS Elastic Container Service on Fargate, I am unable to figure out how to put this file in the container for AWS ECS.

Any advice highly appreciated.

Thanks

Answer 1

Use the specific method from_service_account_info as described here. You then pass the content of the credentials json file as a dictionary.

Answer 2

Solved it by storing the service key as a JSON Stringified environment variable & using admin.credential.cert() instead of defaultAppCredentials. Refer: https://firebase.google.com/docs/reference/admin/node/admin.credential#cert

Answer 3

I would suggest instead AWS Secrets Manager that is purpose-built for storing secrets. Take a look to his blog post:

https://aws.amazon.com/blogs/compute/securing-credentials-using-aws-secrets-manager-with-aws-fargate/

Answer 4

Even better than using environment variables which have their own downsides, you can leverage AWS Parameter Store which is a secure way to manage secrets in the AWS environment (where secrets are encrypted both in transit and at rest).

You'd need to create an IAM role for Amazon ECS for your code to have access to the Parameter Store.

You may want to check this article: https://aws.amazon.com/blogs/compute/managing-secrets-for-amazon-ecs-applications-using-parameter-store-and-iam-roles-for-tasks/