How can I safely give my Google Cloud application credentials to another person?

Question

I am working on a small project with Java in IntelliJ that uses the Google Cloud Translation API. For managing the dependencies, I use maven. My goal is to create an executable jar.

In my current situation, I have downloaded the .json file that stores my private key and set the environment variable GOOGLE_APPLICATION_CREDENTIALS that points to the location of the .json file either in my IDE via "Run configurations" or with a prompt in the command line before starting the executable jar.

But here is the problem: It works fine on my own computer, but how am I supposed to let another person like my supervisor use my application on their computer? I surely do not want to upload my credentials to a github repo, so my idea was to send him the .json file and let him know that he has to set the environment variable by himself.

I would appreciate any help :)

EDIT: I try to specify my problem - What is the intended way from Google so that other people can run my app? Am I supposed to share my service account's credentials, or can I somehow include them safely into the jar? Because without setting the environment variable, the jar won't start

Answer 1

According to Authentication Best Practices, if you are "developing locally to test or learn", users could login using the gcloud tool with the application-default login. You can put these commands in a bash script or readme.md for convenience:

gcloud auth revoke
gcloud auth application-default revoke
gcloud auth application-default login /
   --billing-project=<BILLING_PROJECT> /
   --scopes=openid,https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/cloud-translation.readonly

Notes

• If you're running Translate API v3 you will need to provide its scope in the command, but if you're running v2, you may not need them at all.
• To be safe, you can omit the billing project name from the command in git and have the users enter this themselves.
• The current user must be logged out first to ensure the correct credentials are used.
• You may also need to grant the appropriate Cloud Translation IAM role to the user.

What happens when you run it?

• Running this CLI command will open a browser window and request that the user login to Google Cloud.
• A prompt may also appear to install Cloud Resource Manager. This is used to manage the hierarchy of GCP resources (projects, roles, services, etc.) and is totally free.
• Once the user has logged in, a file called application_default_credentials.json is created in the local Google Cloud SDK configuration folder.

What about the service private key?

If you use this gcloud login method, you do not need the service's private key or the GOOGLE_APPLICATION_CREDENTIALS environment variable. However, if that variable is present, the credentials file it points to will be used instead. This logic is part of the Application Default Credentials workflow used by most modern Google Cloud clients.