0

I am trying to use private_key for some GCP service nodejs client libraries, e.g. @google-cloud/pubsub, @google-cloud/trace-agent

I got private_key from service account credential json file like this:

enter image description here

I am trying to use it as an environment variable for cloud function.

.env.yaml:

enter image description here

And use it like this:

// ...

  credentials: {
        private_key: envs.private_key,
        client_email: envs.client_email
  },
  projectId: envs.X_GOOGLE_GCLOUD_PROJECT

But got an error:

Error: error:0906D06C:PEM routines:PEM_read_bio:no start line

I check stackdriver logs, here is the private_key environment variable I got:

enter image description here

My guess is the format of private_key is not correct. It's probably caused by the newline symbol \n. So, what's the correct format when using private_key like this?

Lin Du
  • 88,126
  • 95
  • 281
  • 483
  • @Rob I think it depends on the situation, not NEVER. My question hit this situation. Because the chars of the secret key are too many so that if I use text instead of posting an image. It will reduce readability!! I don't agree with you downvote and close my question!! Don't see the picture in question and close the question – Lin Du Aug 17 '19 at 09:50
  • I already gave you a reason and a link to the rules. Your images are not copyable to help duplicate your problem. They are not searchable and are barely readable if readable at all. – Rob Aug 17 '19 at 09:52
  • As I said, it's not code, I know it shouldn't post an image for code. But I post image for a secret key, it's not worth to copy and search. – Lin Du Aug 17 '19 at 09:53
  • Is it any error messages or output of data? If you know you shouldn't do it, then don't do it. – Rob Aug 17 '19 at 09:54
  • Can't you see the `Error: error:0906D06C:PEM routines:PEM_read_bio:no start line`? – Lin Du Aug 17 '19 at 09:55
  • The private key by itself is not enough for Google services if used for authentication. Take the entire JSON key material, base64 and stuff that into your environment variable. If you are just using the private key for other purposes, base64 that part. When you decode, you will have an exact duplicate of the original key text. – John Hanley Aug 17 '19 at 18:00
  • I neither a fan of nor an expert in the fickle beast called YAML but I don't think `\n` in YAML means "newline" unless the string is double-quoted -- it just means the two characters '\' and 'n' which would explain why that backslash is being escaped with another one in the logs -- because it's a literal backslash. Consider quoting the value... `private_key: "-----BEGIN..."` – Michael - sqlbot Aug 17 '19 at 22:00

2 Answers2

1

Setting the key in the .env.yaml file is not a good idea. Indeed, you will be able to commit it to git, maybe in a public repo, and you will set it in plain text as environment variable of your function.

It will be better if you set the file in a bucket, and load it in the runtime. BTW you will keep no secret in the project files.

Another solution is to encrypt with kms the key and decrypt it at runtime. This time you still have the secret in your project files, but encrypted.

But, what do you need another service account? This one on the function is not enough?

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
0
GCLOUD_KEY='{"private_key_id":"XXX", "private_key":"YYY",
             "client_email":"ZZZ@ZZZ.COM", "client_id":"ABC123",
             "type":"service_account"}'
TerryA
  • 58,805
  • 11
  • 114
  • 143