Cloud Functions - safe for a key?

[Andrew Davies]

Hi there,

I'm pretty new so please pardon if this is a stupid question. I seem to get led astray when looking for security info too. 

Is it safe to store a key as part of a package published to Google Cloud Functions? Specifically this would be a key used for a Google service account as part of a GCP project. 

If not natively, is there anything I could do to make it 'safe' or is it generally a bad idea all around?

Nothing super sensitive to be done by the function but still would prefer it to run with minimal risk of interference. 

Thanks!

[Elliott (Cloud Platform Support)]

Hello,

I’d like to address your questions but before I do, I would like you to know that there would be no by and large answer on security. It depends on your requirements. Depending on the answers to some questions, I would be guiding you to a point where you may benefit.

To begin, you mentioned that you wish to use a service key to your Cloud Function.

Is there a reason why you chose this approach in that a Cloud Function has a service account?

Why are you using a Cloud Function to store your key?

What specific security concerns do you have? 

I was able to look further and was suggested this thread here that has several views that may assist you. Perhaps it may provide you with further insight.

Encrypt your service account credential json file using Cloud KMS/vault and upload it to Cloud Storage.

Fetch service account credential json file from Cloud Storage and decrypt it using a Cloud KMS service account which has encrypt/decrypt permission.

Parse service account credential json file at runtime and get private_key, client_email and ProjectId.

Pass these three secret variables to the client library

We must not store secret things like plain text, e.g cloud function environment variables.

I hope this helps.

[Andrew Davies]

Thanks @Elliot!

To answer those questions:

- It's entirely possible that I'm using Cloud Functions for a purpose they weren't designed for. There are Python scripts I want to run on a scheduled basis (once a day) via PubSub which access some data, parse it to a table, then load to BigQuery. Using service accounts is an easy way to manage authorisation and seem designed for this sort of task. 

- I'm still learning and not sure of the best way to convert a locally running script to being cloud based. Security is less of a consideration when running locally but I'm aware that storing private keys in plain text in a public cloud isn't a great idea, which is why I was curious as to what I might need to consider or if my concerns were unfounded.

- Security concerns are that someone may be able to access the plain text key file. Again, not that this service account has access to highly confidential information, but I like taking reasonable precautions.

I think the method you described should work fine though! Thank you. :)