Hi there,

I’m trying to properly setup “GOOGLE_APPLICATION_CREDENTIALS” ( in my droplet. I’ve currently added the GOOGLE_APPLICATION_CREDENTIALS as an environment variable. Its value is the content of the json key file (containing credentials to verify usage of a Google Service), which is required to start the application.

On startup this environment variable is recognized, but Google needs the value to be an actual json file instead. A simple solution would be to add the key file to my repo and link the environment variable to that file. This is however unsafe.

Is there a way to generate a json file on startup, which contains the value I put in the environment variable? This is a solution which appears to work in Heroku (, but I haven’t found something similar in Digital Ocean.

Of course any solution is welcome, as long as I don’t have to commit my json file to a repo.


Show comments

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

I had this problem, too. I found a way to make a cred.json file in the build step.

  1. Setup a build cmd
  2. Prepare npm build script
  3. Set the path in env variable

A tricky part is I keep failing to read the JSON file and finally comeup with the solution to encode the JSON to a base64 string and store in env variable. Then, I decode it in the npm run build script to write a JSON file.

Alright I spent an entire evening looking at this and I don’t think DO has a good answer. Google Cloud, AWS, Azure all offer their own solutions. Whilst DO Applications are Heroku- platformed (I think), which is hosted on AWS, you can’t make use of AWS’ solutions to this end due to lack of IAM, command line tools in the application instance, etc. So here are your options as I understand it:

  1. Try and use one of the above big- platformed solutions’ credential stores OR HashiCorp Vault (Others are available) but most cost $$. They all work in a similar way (Requiring command line tools to fetch data securely from their vault) and look like a real chore to set up with IAM requirements, deploying in a Docker Container to give access to the command line tools if using DO Application, and so on. Not even sure if these would work fully with a DO Application. Not got time to try this out at the moment.

  2. Launch your service in a Docker Swarm and use Docker Secrets (Not tried this) - Could be the best solution. For me it means making sure my application works in a Docker Swarm setup though.

  3. [what I am doing for now] As I referenced in a previous answer create a build command that uses Bash commands to create your Google_app_creds file. In this case I am storing strings like the private key and project ID in environment variables and using sed to substitute this to the file at build time. This is definitely NOT that secure but better than having the key in a repo. I haven’t tested this end-to-end yet but I am confident it will work.

I will investigate other ways of doing this properly longer term, but for me at least, it allows me to continue development.


I actually asked an almost- identical question below!!

Looking at your heroku answer it sounds like the best way is just to echo an environment variable to a JSON file during the build step


  • build_command: echo $GOOGLE_CREDS > google.json