02 Apr 2021
How can we authenticate Google Cloud to use SQL Proxy without storing the Service Account JSON file on the server?
The Cloud SQL Auth proxy provides secure access to your instances without the need for Authorized networks or for configuring SSL:
To access Google Cloud Cloud SQL Proxy we need to authenticate using a Service Account with valid permissions. To do that we can set an environment variable GOOGLE_APPLICATION_CREDENTIALS with a path to the service account JSON file. You can find more information on how to set up the authentication here:
If the env var was the actual value of the service account instead of the path I wouldn’t have this problem.
There many tools to manage your secrets, especially environment secrets.
This is useful for obvious security reasonsbecause we don’t want to store sensitive information on the server.
For instance, Chamber, lets you populate the environment with the secrets from the specified services and executes the given command:
chamber exec <service...> -- <your executable>
This will use the environment variables set on chamber and use them inside your executable.
Imagine that you have a Node application that requires an environemnt variable called DATABASE_URL to connect to the database. You can store the variable into chamber and run:
chamber exec my_secrets -- node app.js
Process substitution feeds the output of a process (or processes) into the stdin of another process:
cat <(echo 12345)
This command converts the output of the command echo hey there into a file with the contents: 12345
Feed the service account JSON using process substitution:
./cloud_sql_proxy -instances=INSTANCE_NAME=tcp:3306 -credential_file=<(GET THE JSON USING YOUR SECRET MANAGEMENT TOOL)
The idea here is to use your secret management tool to get your service account JSON file. This way, we won’t need to store the JSON file the on server.
If you need a systemd file (here’s an example), create a shell script in order to use the process substitution with the following line on top: