Patterns to secure your GCP credentials file with your Go app

gcp-auth-with-default-creds.go

package demo

import (
	"context"
	"google.golang.org/api/option"
  	"cloud.google.com/go/storage"
)

// NewClient returns a new Storage client for Google Cloud Storage on GCP
func NewClient(ctx context.Context) (*Storage, error) {
	client, err := storage.NewClient(ctx, option.WithCredentialsFile(os.Getenv("GOOGLE_APPLICATION_CREDENTIALS")))
	if err != nil {
		return nil, err
	}
  
	return client, err
}

gcp-auth-with-encoded-creds.go

package demo

import (
	"context"
	"google.golang.org/api/option"
  "cloud.google.com/go/storage"
)

// NewClient returns a new Storage client for Google Cloud Storage on GCP
func NewClient(ctx context.Context) (*Storage, error) {
  d, _ := base64.StdEncoding.DecodeString(os.Getenv("GCP_CREDS_JSON_BASE64"))
	client, err := storage.NewClient(ctx, option.WithCredentialsFileJSON(d))
	if err != nil {
		return nil, err
	}
  
	return client, err
}

gcp-credentials-sample.json

{
    "type": "service_account",
    "project_id": "mygcpproject-123456",
    "private_key_id": "private_key_id",
    "private_key": "-----BEGIN PRIVATE KEY-----\nprivate_key\n-----END PRIVATE KEY-----\n",
    "client_email": "my-service-account@mygcpproject-123456.iam.gserviceaccount.com",
    "client_id": "404567770391234433658",
    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    "token_uri": "https://oauth2.googleapis.com/token",
    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
    "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/my-service-account@mygcpproject-123456.iam.gserviceaccount.com"
  }