How do I manage my Google service account private keys?
I have a google apps app that uses a service account to subscribe users in the respective google apps domain to specific calendars.
I can get this to work in my development environment by loading the private key of the service account and then using that to authenticate.
But I am hesitant to upload the private key as part of my production deployment. Is this best practice? Is there a better way to authenticate my App Engine service account with a Google Apps domain that doesn't involve downloading my private key? What's the best practice?
source to share
In production App Engine applications, there is a special service account provided by the identity service , but it does not allow you to impersonate the user, these are regular regular service accounts.
As a result, your best option is to download the private key. For obvious security reasons, it is better:
- Use different service accounts in different environments (one for dev, one for testing, and one for production).
- Keep secret keys separate from code, at least for production and testing purposes.
As a result, your best bet is to write a simple HTTP interface that allows you to download the private key and store it in the datastore along with the client ID and client email.
source to share
If you can enable the IAM API, you can automatically generate a private key. I could find a workaround.
Authenticate service account without key loaded in Google App Engine
source to share