securely uploading files from local C# winforms app to Google Cloud Storage Bucket in production

Question

I've tried to use GCPs Secret Manager in a Winforms C# app I'm creating but I need credentials.json to access the Secret Manager in the first place. This is fine for development but not in production. Perhaps I shouldn't be using a secret manager at all.

Currently I have a local C# winforms app, the user (a customer not admin) using the app locally can select files from the Windows filesystem and upload these files to Google Cloud Storage bucket. I don't have a server at all but if I should I'm not sure what sort of logic should be inside it.

From the comments I think the server should be the middle man that the user logs into, user gets a token and then the user can upload files to gcloud storage bucket via the server using the token. That way I never really give the user a credentials.json file in the first place.

For this architecture I thought I should use a Service Account because the server would be making the gcloud storage bucket upload calls on behalf of an authenticated user but then i see from John Hanley that User Credentials are assumed to start in an insecure environment and I'd want to have the info of "what user did what" in the audit logs.

In my development build I'm storing credentials.json outside of my project directory and pointing to it using environment variables. This works but this answer suggests I encrypt it using Google KMS and decrypt in the application.

In the comments I see that this is not really secure because the Service Account credentials could be exposed.

As per this answer dlls can be decompiled to equivalent C# code, so anybody would be able to see what I've used to decrypt the key.

1. So now I want to know what architecture should I be using in production and how to make it secure?
2. I'm thinking of making a GAE instance that stores user information in a database, gives authenticated users a token and uses this token when making calls to upload to gcloud storage bucket. Is this sufficient for a production app?

Answer 1

So I think I'm mainly supposed to use Secret Manager with Service accounts and one of GCPs engines (GAE or GCE) by using the Application Default Credentials instead (please correct me if I'm wrong).

No, you should use a custom service account with the permissions you need when running your workload. You should not store service account credentials in Secret Manager.