Hi there,

I’m trying to properly setup “GOOGLEAPPLICATIONCREDENTIALS” (https://cloud.google.com/docs/authentication/getting-started) in my droplet. I’ve currently added the GOOGLEAPPLICATIONCREDENTIALS as an environment variable. Its value is the content of the json key file (containing credentials to verify usage of a Google Service), which is required to start the application.

On startup this environment variable is recognized, but Google needs the value to be an actual json file instead. A simple solution would be to add the key file to my repo and link the environment variable to that file. This is however unsafe.

Is there a way to generate a json file on startup, which contains the value I put in the environment variable? This is a solution which appears to work in Heroku (https://github.com/elishaterada/heroku-google-application-credentials-buildpack/issues/2#issuecomment-580212700), but I haven’t found something similar in Digital Ocean.

Of course any solution is welcome, as long as I don’t have to commit my json file to a repo.

Thanks!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
2 answers

Hello

I actually asked an almost- identical question below!!

Looking at your heroku answer it sounds like the best way is just to echo an environment variable to a JSON file during the build step

services:

  • buildcommand: echo $GOOGLECREDS > google.json

Alright I spent an entire evening looking at this and I don’t think DO has a good answer. Google Cloud, AWS, Azure all offer their own solutions. Whilst DO Applications are Heroku- platformed (I think), which is hosted on AWS, you can’t make use of AWS’ solutions to this end due to lack of IAM, command line tools in the application instance, etc. So here are your options as I understand it:

1) Try and use one of the above big- platformed solutions’ credential stores OR HashiCorp Vault (Others are available) but most cost $$. They all work in a similar way (Requiring command line tools to fetch data securely from their vault) and look like a real chore to set up with IAM requirements, deploying in a Docker Container to give access to the command line tools if using DO Application, and so on. Not even sure if these would work fully with a DO Application. Not got time to try this out at the moment.

2) Launch your service in a Docker Swarm and use Docker Secrets (Not tried this) - Could be the best solution. For me it means making sure my application works in a Docker Swarm setup though.

3) [what I am doing for now] As I referenced in a previous answer create a build command that uses Bash commands to create your Googleappcreds file. In this case I am storing strings like the private key and project ID in environment variables and using sed to substitute this to the file at build time. This is definitely NOT that secure but better than having the key in a repo. I haven’t tested this end-to-end yet but I am confident it will work.

I will investigate other ways of doing this properly longer term, but for me at least, it allows me to continue development.