How to Safely use Google Application Credentials on Heroku
If you have deployed an app on heroku, you know that the only way to get any files there is via git. Normally this is fine, but Google API expects an environment variable GOOGLE_APPLICATION_CREDENTIALS that points to a json file.
If you google, you might come across tutorials like thisor even SO answer
Essentially they tell you to commit the json file downloaded from Google into git. Since heroku does not have a file system per se, there is no way to get the json file to heroku.
But ….. this file should never be in git. The file contains your security credentials, and it is (indirectly) linked to your credit card.
Even if hacker does not get (direct) access to your credit card, if they use_your_ credentials, your account will get billed (once you go over quota) and google will charge your credit card.
So putting the credentials json file in git is a bad idea.
So what should a developer to do ?
Solution
The workaround is to store the contents on json file in an environment variable, and at runtime, create the json file on-the-fly by reading the environment variable.
But there is better option, use this Custom Build pack
Even better, Create .profile file in your repo, and create the json file from the environment variable. No buildpack required.
Commands
- On your local machine, where you have downloaded the
credentials.json- Store the JSON contents in environment variable :
heroku config:set GOOGLE_CREDENTIALS="$(< credentials.json)"
- Store the JSON contents in environment variable :
- Create a
.profileand put this in it :echo ${GOOGLE_CREDENTIALS} > /app/google-credentials.json- This will create the file on heroku's ephemeral file system each time a dyno is booted.
- Commit this
.profilein the root of your git repo
- Point to the file as Google API expects.
heroku config:set GOOGLE_APPLICATION_CREDENTIALS=/app/google-credentials.json
- 🎉
Published originally on my blog
