Which fields should be kept private in a Google Cloud service account key in JSON format?

This is the shape of my JSON service account key from Google.

{
  "type": "service_account",
  "project_id": "",
  "private_key_id": "",
  "private_key": "",
  "client_email": "",
  "client_id": "",
  "auth_uri": "",
  "token_uri": "",
  "auth_provider_x509_cert_url": "",
  "client_x509_cert_url": "",
}

Which fields should be secret? I mean, I would add most of it to my Git repo, and I would add the private bits as env variables.

Is protecting the private_key enough?

For example:

account.ts

{
  "type": "service_account",
  "project_id": "VALUE",
  "private_key_id": "VALUE",
  "private_key": process.env.PRIVATE_KEY,  // Populating it via env variables
  "client_email": "VALUE",
  "client_id": "VALUE",
  "auth_uri": "VALUE",
  "token_uri": "VALUE",
  "auth_provider_x509_cert_url": "VALUE",
  "client_x509_cert_url": "VALUE",
}

Should I also hide the private_key_id?

The private_key must be protected. If that value is disclosed along with the project_id, someone could easily create authorization tokens and breach your Google Cloud project. If the service account has the correct IAM roles, they could take control of your project.

It is still possible to create authorization tokens without disclosing the project_id but that would require more time as the Project ID can be deduced by other means.

The private_key_id is used to look up the RSA Public Key to validate the signature created by the private_key. Key IDs are public and their disclosure is not a problem.

Only the private_key is a secret. The other values are either sensitive data or public data.

Best Practice: protect the entire service account.

Recommended topics

Hot tags