How to use the Google Cloud credentials with Waffle GCS for the enviroment variable

I am thinking to put the credentials of the Google Cloud on the Gigalixir Server using config set. Which will put on the secrets.

gigalixir config:set GCP_KEY=="<GOOGLE-CLOUD-CREDENTIALS>"

and use locally on the file .env and insert the values as:


But putting the GCP_KEY as json string don’t work for use with System.fetch_env!("GCP_KEY") or System.get_env("GCP_KEY").

Like the documentation:

      |> System.fetch_env!()
      |> Jason.decode!()

The only way was reading the json file:


@gcp_key!("gcp.json") |> Jason.decode!()
  @impl true
  def start(_type, _args) do

    credentials = @gcp_key

    source = {:service_account, credentials}

But the thing is, I don’t want to put my google credentials file on github or in production. I want to on the .gitignore
How is the best approach for this?

(note: I’m guessing the specific failure mode, the below could be nonsense)

Module attributes like @gcp_key are evaluated at compile-time so just replacing! in your example with System.fetch_env! will only work if the GOOGLE_APPLICATION_CREDENTIALS_JSON envvar is set when compiling the module.

But if I send the credentials to the public repository it’s possible to anyone could access the Google cloud bucket?

If you have not been able to resolve this, or if anyone else comes across this:
Assuming you’re using waffle_gcs, you can define a TokenFetcher and use the new Goth 1.3+ approach.

Unfortunately, due to how the waffle libs handle config, if you need to sign URLs, such as for a private bucket, you’ll still need pass the “old” json key that just contains the raw file contents.

To avoid having the file lying around in the container, which could result in exposure if there were file traversal bugs in our code, and to avoid building it into the image, we used GCP Secrets Manager and hush. We also made a custom service account that only had permissions to sign URLs, and then used the metadata source with Goth for everything else to use the VMs configured service account.

You can add an extra config file and have git ignore it.

1 Like