I am working on a small project with Java in IntelliJ that uses the Google Cloud Translation API. For managing the dependencies, I use maven. My goal is to create an executable jar.
In my current situation, I have downloaded the .json file that stores my private key and set the environment variable GOOGLE_APPLICATION_CREDENTIALS that points to the location of the .json file either in my IDE via "Run configurations" or with a prompt in the command line before starting the executable jar.
But here is the problem: It works fine on my own computer, but how am I supposed to let another person like my supervisor use my application on their computer? I surely do not want to upload my credentials to a github repo, so my idea was to send him the .json file and let him know that he has to set the environment variable by himself.
I would appreciate any help :)
EDIT: I try to specify my problem - What is the intended way from Google so that other people can run my app? Am I supposed to share my service account's credentials, or can I somehow include them safely into the jar? Because without setting the environment variable, the jar won't start
CodePudding user response:
Json files are normally associated with service accounts, not users (ie real people), so I assume you are not talking about your private key, but the private key of a service account.
The simplest option is to indeed give json file with the key to the other person and instruct them to set the GOOGLE_APPLICATION_CREDENTIALS env variable.
Note that this will give anyone with that json file access to whatever that service account has permissions for. I would highly recommend to restrict these permissions to the minimum (probably just the translation API and nothing more).
CodePudding user response:
Non-secure Transmission
You should avoid sending any file or record (like e-mail, Slack, SMS) with the API key in clear text without encryption or access control. If you do send the API key this way, make sure both parties delete the records after transmission (including from e-mail trash folder).
GPG Encryption (free)
For a free solution, you can encode the API key using GPG (GNU Privacy Guard), as described in this article. Basically you generate a public-private key pair and share your public key with anyone who wants to send you files. Your colleague will need to do the same and give you their public key. You can use that public key to encrypt your API key and send the encrypted text to them however you want. Then they would use their private key to decrypt the API key. This assumes is that your colleague is tech savvy enough to do all this.
Secrets Management Services (paid)
Alternatively, if your company uses GCP, you can use Secret Manager to generate and share keys. You will need to have Admin access to create a key and Accessor access to view it. So there's some one-time setup involved. There is a small fee per active secret you maintain ($0.06/key/month), but you can remove the key once it's been shared. Also, the first 6 keys are free. See pricing for accurate info.
Besides that, you can use a third-party secrets management service, such as 1password or SecretHub. There are many others. There are often fees with such tools as well, so you may need to get approval and sign up for an account. The upside is that now your company/team will have a reliable secrets management tool. Most services also offer a trial period you can use for a one-time share.