How do I prevent my Google Maps API key from being exposed in my git repository when using Expo?

Question

Problem is that my Google Maps API key is in the Expo app.json config file under the path expo.android.config.googleMaps.apiKey and is exposed to my git repository.

This is a problem because my git repository will be public and while my keys are protected in the Google Maps Platform, API keys in general should not be easily exposed as it serves a security risk.

I have tried masking the app.json away from the repository by adding it to .gitignore and creating a replica of it called app.template.json with the API key redacted.

1. This caused a prebuild error when using eas build: I assume this is a bug with Expo/EAS upload archiver/prebuild parser.

Project must have a android.package set in the Expo config (app.json or app.config.js).

2. This also caused me having to keep 2 different files up to date at minor changes, such as version.

I have no use of storing the API key within the application itself - because the key needs to be configured in the Android manifest (or somewhere outside of my control...).

• Which means the accepted answer here, How can I store Google Maps API keys not using app.json?, does not actually answer the question.

Answer 1

You could use git-crypt : https://buddy.works/guides/git-crypt. I have used this in the past when we had a repo that contained configuration files with passwords etc.