How to use the Google Cloud credentials with Waffle GCS for the enviroment variable

I am thinking to put the credentials of the Google Cloud on the Gigalixir Server using config set. Which will put on the secrets.

gigalixir config:set GCP_KEY=="<GOOGLE-CLOUD-CREDENTIALS>"

and use locally on the file .env and insert the values as:

export GCP_BUCKET="<MY-BUCKET-ON-GOOGLE-CLOUD>"
export GCP_KEY="<GOOGLE-CLOUD-CREDENTIALS>"

But putting the GCP_KEY as json string don’t work for use with System.fetch_env!("GCP_KEY") or System.get_env("GCP_KEY").

Like the documentation:

   "GOOGLE_APPLICATION_CREDENTIALS_JSON"
      |> System.fetch_env!()
      |> Jason.decode!()

The only way was reading the json file:

application.ex

@gcp_key File.read!("gcp.json") |> Jason.decode!()
  @impl true
  def start(_type, _args) do

    credentials = @gcp_key

    source = {:service_account, credentials}
.
.
.

But the thing is, I don’t want to put my google credentials file on github or in production. I want to on the .gitignore
How is the best approach for this?

(note: I’m guessing the specific failure mode, the below could be nonsense)

Module attributes like @gcp_key are evaluated at compile-time so just replacing File.read! in your example with System.fetch_env! will only work if the GOOGLE_APPLICATION_CREDENTIALS_JSON envvar is set when compiling the module.

But if I send the credentials to the public repository it’s possible to anyone could access the Google cloud bucket?