This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Securing service account keys

Posted on 06-24-2022 03:12 AM
paulowe
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

I am using the Google API discovery module to build a gmail api that fetches some labels from my inbox using Google Cloud Functions. 

https://googleapis.github.io/google-api-python-client/docs/epy/googleapiclient.discovery-module.html 

 
As part of the parameters, I am passing service account key credentials in json format like this:
 
credentials = service_account.Credentials.from_service_account_file(f'/tmp/path-to-keys.json}', scopes=scopes)
 
delegated_credentials = credentials.with_subject(USER_EMAIL)
 
service = discovery.build(api_name, api_version, cache_discovery=False, credentials=delegated_credentials)
 
return service
 
My current solution fetches  the SA keys from a cloud storage bucket. I am concerned about the security and management of service account keys and was thinking about enhancing the solution to store the keys in Secret manager instead. However, I found out that this is also not a best practice.
 
I am curious to learn about people's opinions on this and whether there is a more robust way of implementation.
 
Thanks!
 
 
 
 
Solved Solved
0 1 278
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
kolban
Staff
Reply posted on --/--/---- --:-- AM

If I am reading the post correctly, I am sensing that the call to gmail is happening from Cloud Functions.  Your Cloud Function service is running under the auspicies of a Service Account already.  If it were me, I'd be looking to create a Service Account that your Cloud Function runs as that you then give authorization to call gmail.  When your Cloud Function then calls gmail, you will already be implicitly authorized for gmail.  There are no keys involved at all ... only configuration of the environment.

View solution in original post

Jump to Solution
1 REPLY 1

Posted on --/--/---- --:-- AM
kolban
Staff
Reply posted on --/--/---- --:-- AM

If I am reading the post correctly, I am sensing that the call to gmail is happening from Cloud Functions.  Your Cloud Function service is running under the auspicies of a Service Account already.  If it were me, I'd be looking to create a Service Account that your Cloud Function runs as that you then give authorization to call gmail.  When your Cloud Function then calls gmail, you will already be implicitly authorized for gmail.  There are no keys involved at all ... only configuration of the environment.

Jump to Solution
Top Labels in this Space
Top Solution Authors
View all