Hello, I’d like to address your questions but before I do, I would like you to know that there would be no by and large answer on security. It depends on your requirements. Depending on the answers to some questions, I would be guiding you to a point where you may benefit.
To begin, you mentioned that you wish to use a service key to your Cloud Function. Is there a reason why you chose this approach in that a Cloud Function has a service account? Why are you using a Cloud Function to store your key? What specific security concerns do you have? I was able to look further and was suggested this thread here <https://stackoverflow.com/questions/48602546/google-cloud-functions-how-to-securely-store-service-account-private-key-when> that has several views that may assist you. Perhaps it may provide you with further insight. Encrypt your service account credential json file using Cloud KMS/vault and upload it to Cloud Storage. Fetch service account credential json file from Cloud Storage and decrypt it using a Cloud KMS service account which has encrypt/decrypt permission. Parse service account credential json file at runtime and get private_key, client_email and ProjectId. Pass these three secret variables to the client library We must not store secret things like plain text, e.g cloud function environment variables. I hope this helps. On Monday, January 11, 2021 at 9:16:31 AM UTC-5 ajdav...@gmail.com wrote: > Hi there, > > I'm pretty new so please pardon if this is a stupid question. I seem to > get led astray when looking for security info too. > > Is it safe to store a key as part of a package published to Google Cloud > Functions? Specifically this would be a key used for a Google service > account as part of a GCP project. > > If not natively, is there anything I could do to make it 'safe' or is it > generally a bad idea all around? > > Nothing super sensitive to be done by the function but still would prefer > it to run with minimal risk of interference. > > Thanks! > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/91624061-208d-4652-93bb-541c5348e061n%40googlegroups.com.
