I made a CLI application in Python which uses Google Dialogflow.
As the documentation provides, I created a Service Account and downloaded the JSON file. Then I loaded it in Python and the application works.
Now I want to publish my software on GitHub and pip but when I load all the files I receive an e-mail from Google that states that I am not managing correctly my credentials. And I agree with that.
The problem is that I do not understand how to manage properly those credentials.
There is 2 solutions:
Either anyone can access to your backend, and you don't need a service account, because it's pubilc
Or, it's private and you don't publish your key (if the secret is known of everyone, the security is useless, make it public!). It's a requirement of the deployment to not commit publicly but to document and to explain how to configure the correct service account to use your app.
Provide more on your context and want you want to achieve to have better pieces of advice. What do you want to protect? Where will you deploy your app? ...
Related
I am using GitHub and upload Jupyter notebooks.
My goal is to showcase use cases of Cloud service providers like AWS, IBM or Heroku.
Therefore, I store user credentials on public repos on GitHub.
This allows me to execute the code on the Cloud platforms.
(Reacting to comments:
I am not storing the credentials on GitHub, but using the os.getenv function to get the SECRET_KEY from .env file stored locally, which is added to .git ignore. Sorry for being unclear.)
I am using dotenv to secure my credentials.
I am following the method described here:
Keep your secrets safe with Python-dotenv
The implementation works fine, but I want to ascertain that this is a secure method to protect critical credentials against hacks, or do I miss something?
Security usually is a compromise between convinience and security level. What you should not do at least is having credentials in code or version control.
credentials in a repo is a really bad practice, please avoid this specially for public repos and code for your company. dotenv is intended for having secrets locally in anycase, never adding them to a repo.
credentials as pipeline varibales is OK. I used GitLab variables, and there is something similar for github although I am not an expert on github. Just be sure to not log them, do make them protected and not visible (masked).
the best option is to manage credentials in a more advanced service like Hashicorp Vault, so you can rotate them, deprecate them and have full control. Of course this solution is more advanced and requires integration.
Anyway, there may be always leaks, if you use third party machines for running actions/jobs you have potential security risks, so rotating credentials periodically is a good practice.
I'm trying to start using Google Analytics API 4 as instructed with Python and Jupyter Notebook. I follow the instructions https://developers.google.com/analytics/devguides/reporting/data/v1/quickstart-client-libraries and get to Step 3. Configure authentication
And then they write that you need to set GOOGLE_APPLICATION_CREDENTIALS="[PATH]" I downloaded this file to my computer and added it to the project folder, but I can't get verified using the service account.
On github they write https://github.com/googleapis/python-analytics-data#installation that you need to use a virtual environment? Is it so? Will it work without it?
I am using service-account, not oauth 2.0
To be clear GOOGLE_APPLICATION_CREDENTIALS is a virtual environmental variable. This variable is used by many of the google client libraries to load the credentials for any of the APIs. The question i have duplicated this as shows a number of ways to set it.
As you seem to still be a little unsure. Here is some additinal information.
As stated in the docs.
An easy way to provide service account credentials is by setting the GOOGLE_APPLICATION_CREDENTIALS environment variable, the API client will use the value of this variable to find the service account key JSON file.
You need to set an env var on your machine to the path of the service account key file.
There are a number of examples of how to do that.
Authenticating as a service accoun
Set GOOGLE_APPLICATION_CREDENTIALS in Python project to use Google API
I did. I'll tell you how it turns out for beginners:
https://developers.google.com/analytics/devguides/reporting/data/v1/quickstart-client-libraries
Click on the blue button Enable the Google Analytics Data API v1, a project is created, a service account is created in Google Cloud and the Google Analytics API is activated. Download JSON file
After that, you need to add a service account in the GA4 resource
Then you need to authenticate according to the method from here https://cloud.google.com/docs/authentication/production#setting_the_environment_variable
This requires Passing credentials manually. Using the code in the article, the path to the json file on the computer is indicated
When trying to authenticate a service account, 403 GET storage.googleapis.com/storage/v1/… will be issued: starting-account-smhpwtovr5jj #test-data-api-1654114095791.iam.gserviceaccount.com does not have storage.buckets.list access to the Google Cloud project.
To do this, you need to go to IAM and create a new role for the Owner or Storage Admin service account. After that, GOOGLE_APPLICATION_CREDENTIALS finds and you can start installing the Data API library
We're trying to develop an integration exploring Python libraries for Oauth2, but in every single one of them when it's related to Outlook accounts they require client ID and client secret, data extracted of course, from Azure. thing is, we got no Azure account available now. is it indeed impossible to achieve this without Azure? any workarounds?
I'm attempting to deploy a Pythonic Telegram bot from my GitHub repository using Heroku's service.
Telegram's API includes an API token, which I keep as a secret in my Github repository.
How could I deploy the software that was linked to GitHub and insert the app's credentials?
I don't want my credentials to be included in the codebase.
What is the safest and easy way to handle the situation?
Basically use config files and .gitignore, but the question is answered in much greater detail here What is the best practice for dealing with passwords in git repositories?
In AWS, you can assign a role to a VM, which then authorizes the instance when it makes queries to the AWS SDK. I am looking for similar functionality in Azure, or something that would enable me to do close to that.
I found this post which suggests that this is not possible in the way AWS does it. Are there any workarounds for this? I really don't want the system administrator to have to login to the instance and give their Azure Active Directory credentials to authorize it.
Excellent question :). I would suggest to wait a few days, we have something in progress that seems to fit your need. I created this issue for tracking.
The most simple would be to create a Service Principal credentials for these VMs. To do that, execute a post deployment script to install the CLI and "az ad sp create-for-rbac --sdk-auth >~/mycredentials.json". Then, you can start SDK script reading this credential file.
The "create-for-rbac" commands already exists if you want to look at it (--sdk-auth is the new option coming), so you can see that you can specify all scope and permissions needed in this command.
(I own the Azure SDK for Python at MS)