google cloud credential/service account practice

What is google service account?

a service account is a type of Google account that is intended to represent a non-human user. It is typically used in running workloads on virtual machines. It handles authentication and authorization access to different Google APIs

Types of service account in google cloud platform

There exist a few types of service account

User managed service account

In user-managed service account, the account is manually managed, it is represented as a JSON file.

This post problem on security where the accounts can get accidentally leaked due to device compromise or human-error.

{
  "type": "service_account",
  "project_id": "project-id",
  "private_key_id": "key-id",
  "private_key": "-----BEGIN PRIVATE KEY-----\nprivate-key\n-----END PRIVATE KEY-----\n",
  "client_email": "service-account-email",
  "client_id": "client-id",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
}

Google managed service account

This kind of service account is a kind of service account where the application can assume its identity without using JSON keys or other type secrets.

Since no key is involved, the security is hardened. 

How it works in practice

When we create a VM we can associate a service account to it. At run time, when the application request authentication, it will by default look for this service account associated with the VM by request short-lived authorization tokens from the metadata service. This is contrary to the traditional JSON method where you provide the JSON path to GOOGLE_APPLICATION_CREDENTIALS.

The user account is also a type of Google managed service account. Since we can't associate a user account to the VM or local dev environment, we need to specify the Application Default Credentials (ADC) of the user account from the local path to allow the application to authenticate.

export GOOGLE_APPLICATION_CREDENTIALS=~/.config/gcloud/application_default_credentials.json

Comments

Post a Comment