Support GOOGLE_CREDENTIALS in addition to GOOGLE_APPLICATION_CREDENTIALS #316
Labels
type: feature request
‘Nice-to-have’ improvement, new feature or different behavior or design.
Comments
yoshi-automation
added
triage me
danoscarmike
added
type: feature request
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello 👋
Is your feature request related to a problem? Please describe.
Some Google tooling support the GOOGLE_CREDENTIALS environment variable to store a credential JSON directly instead of storing it in a file. (See the Google Terraform Provider for example.)
I store all my credentials securely in password-store, and load them directly in the env of the process needing them. This ensure minimal exposure of the credentials since the environment is destroyed when the process end.
Having to have a file with the credentials make is easier for the credential to leak out. You are one backup away of leaking everything.
Describe the solution you'd like
I'll like to be able to provide only the GOOGLE_CREDENTIALS env variable to authenticate, and not a file.
Describe alternatives you've considered
I have considered bash process substitutions but that can't work with pass. I have also considered copying the file from the password store when needed, and deleting after use, but this is still flaky, require the user to remember to delete it, and is still not a protection from leaking via a copy, backup, snapshot, or any file system operation that moves or copy data.
The text was updated successfully, but these errors were encountered: