Which fields should be kept private in a Google Cloud service account key in JSON format?
Question
This is the shape of my JSON service account key from Google.
{
"type": "service_account",
"project_id": "",
"private_key_id": "",
"private_key": "",
"client_email": "",
"client_id": "",
"auth_uri": "",
"token_uri": "",
"auth_provider_x509_cert_url": "",
"client_x509_cert_url": "",
}
Which fields should be secret? I mean, I would add most of it to my Git repo, and I would add the private bits as env variables.
Is protecting the private_key enough?
For example:
account.ts
{
"type": "service_account",
"project_id": "VALUE",
"private_key_id": "VALUE",
"private_key": process.env.PRIVATE_KEY, // Populating it via env variables
"client_email": "VALUE",
"client_id": "VALUE",
"auth_uri": "VALUE",
"token_uri": "VALUE",
"auth_provider_x509_cert_url": "VALUE",
"client_x509_cert_url": "VALUE",
}
Should I also hide the private_key_id ?
1 answers
solution1
4 ACCPTED 2022-10-04 08:44:44
The private_key must be protected. If that value is disclosed along with the project_id , someone could easily create authorization tokens and breach your Google Cloud project. If the service account has the correct IAM roles, they could take control of your project.
It is still possible to create authorization tokens without disclosing the project_id but that would require more time as the Project ID can be deduced by other means.
The private_key_id is used to look up the RSA Public Key to validate the signature created by the private_key . Key IDs are public and their disclosure is not a problem.
Only the private_key is a secret. The other values are either sensitive data or public data.
Best Practice: protect the entire service account.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.