DigitalOcean

Report this

What is the reason for this report?
Question

Create GOOGLE_APPLICATION_CREDENTIALS json file

Posted on April 11, 2021
DigitalOcean App Platform
airrudi

By airrudi

Hi there,

I’m trying to properly setup “GOOGLE_APPLICATION_CREDENTIALS” (https://cloud.google.com/docs/authentication/getting-started) in my droplet. I’ve currently added the GOOGLE_APPLICATION_CREDENTIALS as an environment variable. Its value is the content of the json key file (containing credentials to verify usage of a Google Service), which is required to start the application.

On startup this environment variable is recognized, but Google needs the value to be an actual json file instead. A simple solution would be to add the key file to my repo and link the environment variable to that file. This is however unsafe.

Is there a way to generate a json file on startup, which contains the value I put in the environment variable? This is a solution which appears to work in Heroku (https://github.com/elishaterada/heroku-google-application-credentials-buildpack/issues/2#issuecomment-580212700), but I haven’t found something similar in Digital Ocean.

Of course any solution is welcome, as long as I don’t have to commit my json file to a repo.

Thanks!



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
jcyh
jcyh
November 18, 2021

I had this problem, too. I found a way to make a cred.json file in the build step.

  1. Setup a build cmd
  2. Prepare npm build script
  3. Set the path in env variable

A tricky part is I keep failing to read the JSON file and finally comeup with the solution to encode the JSON to a base64 string and store in env variable. Then, I decode it in the npm run build script to write a JSON file.

0
vongole83
vongole83
April 11, 2021

Hello

I actually asked an almost- identical question below!!

Looking at your heroku answer it sounds like the best way is just to echo an environment variable to a JSON file during the build step

services:

  • build_command: echo $GOOGLE_CREDS > google.json
0
vongole83
vongole83
April 12, 2021

Alright I spent an entire evening looking at this and I don’t think DO has a good answer. Google Cloud, AWS, Azure all offer their own solutions. Whilst DO Applications are Heroku- platformed (I think), which is hosted on AWS, you can’t make use of AWS’ solutions to this end due to lack of IAM, command line tools in the application instance, etc. So here are your options as I understand it:

  1. Try and use one of the above big- platformed solutions’ credential stores OR HashiCorp Vault (Others are available) but most cost $$. They all work in a similar way (Requiring command line tools to fetch data securely from their vault) and look like a real chore to set up with IAM requirements, deploying in a Docker Container to give access to the command line tools if using DO Application, and so on. Not even sure if these would work fully with a DO Application. Not got time to try this out at the moment.

  2. Launch your service in a Docker Swarm and use Docker Secrets (Not tried this) - Could be the best solution. For me it means making sure my application works in a Docker Swarm setup though.

  3. [what I am doing for now] As I referenced in a previous answer create a build command that uses Bash commands to create your Google_app_creds file. In this case I am storing strings like the private key and project ID in environment variables and using sed to substitute this to the file at build time. This is definitely NOT that secure but better than having the key in a repo. I haven’t tested this end-to-end yet but I am confident it will work.

I will investigate other ways of doing this properly longer term, but for me at least, it allows me to continue development.

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.