Deploying a service account key on Cloud Functions

[Michele Volpato]

Hi all,

I am reading this security document and checking that my project checks all the point in the checklist.

In Cloud Functions safety it is explained that 

• If you're calling Google and Google Cloud APIs that require service account credentials, the Google Auth library for Node.js can get these credentials from the application default credentials, which are automatically populated in Cloud Functions.

I need to access Google Drive API from my Cloud Functions, and for this reason I deploy the key of a service account (the json file) that has access to Google Drive API, and I refer to it in the code.

According to the point above, I should not do it. Is that correct?

The solution would be either

• Add Google Drive API permission to the application default service account, or
• Use Google Secret Manager.

Is this correct, or am I missing something?

Thanks.

Have a good week,

Michele

[Sam Stern]

Hi Michele,

Yes that is correct, you should either add the permission you need to the default service account or use Secret Manager.

- Sam

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/da4ae7ec-1bbe-49f0-a92a-3f3edf70ed39n%40googlegroups.com.