I am thinking to put the credentials of the Google Cloud on the Gigalixir Server using config set. Which will put on the secrets.
gigalixir config:set GCP_KEY=="<GOOGLE-CLOUD-CREDENTIALS>"
and use locally on the file .env and insert the values as:
export GCP_BUCKET="<MY-BUCKET-ON-GOOGLE-CLOUD>"
export GCP_KEY="<GOOGLE-CLOUD-CREDENTIALS>"
But putting the GCP_KEY as json string don’t work for use with System.fetch_env!("GCP_KEY") or System.get_env("GCP_KEY").
Like the documentation:
"GOOGLE_APPLICATION_CREDENTIALS_JSON"
|> System.fetch_env!()
|> Jason.decode!()
The only way was reading the json file:
application.ex
@gcp_key File.read!("gcp.json") |> Jason.decode!()
@impl true
def start(_type, _args) do
credentials = @gcp_key
source = {:service_account, credentials}
.
.
.
But the thing is, I don’t want to put my google credentials file on github or in production. I want to on the .gitignore
How is the best approach for this?
(note: I’m guessing the specific failure mode, the below could be nonsense)
Module attributes like @gcp_key are evaluated at compile-time so just replacing File.read! in your example with System.fetch_env! will only work if the GOOGLE_APPLICATION_CREDENTIALS_JSON envvar is set when compiling the module.
But if I send the credentials to the public repository it’s possible to anyone could access the Google cloud bucket?
If you have not been able to resolve this, or if anyone else comes across this:
Assuming you’re using waffle_gcs, you can define a TokenFetcher and use the new Goth 1.3+ approach.
Unfortunately, due to how the waffle libs handle config, if you need to sign URLs, such as for a private bucket, you’ll still need pass the “old” json key that just contains the raw file contents.
To avoid having the file lying around in the container, which could result in exposure if there were file traversal bugs in our code, and to avoid building it into the image, we used GCP Secrets Manager and hush. We also made a custom service account that only had permissions to sign URLs, and then used the metadata source with Goth for everything else to use the VMs configured service account.
