This is the shape of my JSON service account key from Google.
{
"type": "service_account",
"project_id": "",
"private_key_id": "",
"private_key": "",
"client_email": "",
"client_id": "",
"auth_uri": "",
"token_uri": "",
"auth_provider_x509_cert_url": "",
"client_x509_cert_url": "",
}
Which fields should be secret? I mean, I would add most of it to my Git repo, and I would add the private bits as env variables.
Is protecting the private_key
enough?
For example:
account.ts
{
"type": "service_account",
"project_id": "VALUE",
"private_key_id": "VALUE",
"private_key": process.env.PRIVATE_KEY, // Populating it via env variables
"client_email": "VALUE",
"client_id": "VALUE",
"auth_uri": "VALUE",
"token_uri": "VALUE",
"auth_provider_x509_cert_url": "VALUE",
"client_x509_cert_url": "VALUE",
}
Should I also hide the private_key_id
?
CodePudding user response:
The private_key
must be protected. If that value is disclosed along with the project_id
, someone could easily create authorization tokens and breach your Google Cloud project. If the service account has the correct IAM roles, they could take control of your project.
It is still possible to create authorization tokens without disclosing the project_id
but that would require more time as the Project ID can be deduced by other means.
The private_key_id
is used to look up the RSA Public Key to validate the signature created by the private_key
. Key IDs are public and their disclosure is not a problem.
Only the private_key
is a secret. The other values are either sensitive data or public data.
Best Practice: protect the entire service account.