🚀 Liran Tal

~ 2 min read

Securely Loading Credentials for Google Cloud Storage in Node.js

share this story on
A guide on securely loading Google Cloud Storage credentials in Node.js applications using various methods.

Google Cloud Storage (GCS) is a robust and scalable object storage service offered by Google Cloud. To interact with GCS in your Node.js applications, you’ll need to authenticate using service account credentials. This article explores different methods for securely loading these credentials into your Node.js code.

Initializing Credentials for the Storage Constructor

The Storage constructor in the Google Cloud Storage Node.js client library accepts credentials in various formats. Let’s explore the common methods:

Using a JSON File:

  1. The most common approach is to use a JSON file containing your service account key. You can generate this key from the Google Cloud Console.
const {Storage} = require('@google-cloud/storage');

const storage = new Storage({
    keyFilename: 'path/to/your/key.json' 
});

Using an Environment Variable:

  1. While convenient, directly storing the JSON contents of your service account key in an environment variable is not recommended due to security risks.

    • Secure Approach:

      • Encode the JSON: Encode the JSON contents of your service account key file using Base64 encoding.
const serviceAccountJSON = require('path/to/your/key.json'); 
const serviceAccountBuffer = Buffer.from(JSON.stringify(serviceAccountJSON), 'utf-8');
const serviceAccountBase64Encoded = serviceAccountBuffer.toString('base64');
- Set the Environment Variable: Store the `serviceAccountBase64Encoded` string as an environment variable.

- Decode and Use:
const serviceAccountBase64Encoded = process.env.GCLOUD_SERVICE_ACCOUNT_KEY;
const serviceAccountBuffer = Buffer.from(serviceAccountBase64Encoded, 'base64');
const serviceAccountJSON = JSON.parse(serviceAccountBuffer.toString('utf-8'));

const storage = new Storage({
    credentials: serviceAccountJSON
});
  1. Specifying Credentials Directly:

You can also specify the credentials directly within the Storage constructor:

const storage = new Storage({
    credentials: {
        type: 'service_account',
        project_id: 'your-project-id',
        private_key_id: 'your-private-key-id',
        private_key: '-----BEGIN PRIVATE KEY-----\n' + 
                    'your-private-key-content\n' + 
                    '-----END PRIVATE KEY-----\n',
        client_email: 'your-client-email',
        client_id: 'your-client-id',
        auth_uri: 'https://accounts.google.com/o/oauth2/auth',
        token_uri: 'https://oauth2.googleapis.com/token',
        auth_provider_x509_cert_url: 'https://www.googleapis.com/oauth2/v1/certs',
        client_x509_cert_url: 'your-client-x509-cert-url'
    }
});

Choosing the Right Method:

  • Using a JSON file: Simplest approach, but requires managing a separate file.
  • Using an environment variable: Convenient, but crucial to use Base64 encoding for security.
  • Specifying credentials directly: Secure, but less flexible for managing multiple configurations.

Conclusion

By understanding these methods, you can securely load credentials for your Google Cloud Storage Node.js applications and interact with GCS effectively. Always prioritize security best practices when handling service account keys.

For further details and advanced configurations, refer to the official Google Cloud Storage Node.js client library documentation.

I hope this blog post helps you effectively manage your GCS credentials in Node.js!

Liran Tal is the author of the book Node.js Secure Coding: Defending Against Command Injection Vulnerabilities

The book: Node.js Secure Coding: Defending Against Command Injection Vulnerabilities