0

I am trying to to use the @google-cloud/secret-manager package to read secrets from inside an application, and I want it to authenticate with a specific service account, not the default credentials. I can't find any documentation anywhere on how to do this.

import { SecretManagerServiceClient } from '@google-cloud/secret-manager';

const smClient = new SecretManagerServiceClient();

There are no options anywhere in the docs to provide authentication parameters. I'm trying to even use the google-auth-library to authenticate with my service account, but I'm not sure how to even pass that to the secret-manager request.

import { JWT } from 'google-auth-library';

const keyFile = JSON.parse(
    fs.readFileSync(path.resolve(__dirname, '../service-account.json'))
)

const authClient = new JWT({
    email: keyFile.client_email,
    key: keyFile.private_key,
    scopes: ['https://www.googleapis.com/auth/cloud-platform'],
});
chrispytoes
  • 1,714
  • 1
  • 20
  • 53

2 Answers2

0

Google Cloud Client Libraries use a library called Application Default Credentials (ADC) to automatically find your service account credentials. ADC looks for service account credentials in the following order:

  • If the environment variable GOOGLE_APPLICATION_CREDENTIALS is set, ADC uses the service account key or configuration file that the variable points to.

  • If it isn't set, ADC uses the service account that is attached to the resource that is running your code.

  • If ADC can't use any of the above credentials, an error occurs.

The recommended steps would be to create a service account and set an environment variable accordingly. Also ,there are few examples for common use cases and a brief information in the same document about how to access a secret.

Hope the above information is useful to you.

Kiran Kotturi
  • 492
  • 6
  • Thank you! I've been looking everywhere for a variable like that. I'm just doing by setting `GOOGLE_APPLICATION_CREDENTIALS`. However I'm still surprised there's no way to specify credentials. I'm coming from AWS and all their libraries can be manually passed credentials. What if I needed to access multiple accounts from one app? – chrispytoes May 11 '23 at 18:17
0

If your runtime environment has a built-in credential (because you are on Google Cloud or you use Workload Identity federation), you are going to the wrong way.

Service account key file (the json file) is insecure and I strong recommend to use it in only very specific cases.

But I understand the requirement to access a secret with another identity/credential. For that, something exist and it's named "impersonation".

The principle is to allow your current default credential generating a token (access or identity) on behalf another service account. For that, the current credential requires the role "Service Account Token Creator" to be able to generate that token.

I'm not a node.js developer, but I fount that and that piece of code


  let targetClient = new Impersonated({
    sourceClient: <SourceCredential>,
    targetPrincipal: "impersonated-account@fabled-ray-104117.iam.gserviceaccount.com",
    lifetime: 30,
    delegates: [],
    targetScopes: ["https://www.googleapis.com/auth/cloud-platform"]
  });
guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76