Google Cloud Functions - How to securely store service account private key when using Google Source Repository?

Question

I use Google Source Repository to store my Google Cloud Functions. (Git repo hosted by Google, basically)

One of my function needs to access a private Google Sheet f

Answer 1

My solution when using cloud function with a service account is:

1. Encrypt your service account credential json file using Cloud KMS/vault and upload it to Cloud Storage.

2. Fetch service account credential json file from Cloud Storage and decrypt it using a Cloud KMS service account which has encrypt/decrypt permission.

3. Parse service account credential json file at runtime and get private_key, client_email and projectId.

4. Pass these three secret variables to the client library

We store config variables as environment variables for cloud function, they are plain text, but it's ok. Because they are not secret things.

We must not store secret things like plain text, e.g cloud function environment variables.