An effective way of saving secrets in environment variable

• Convert the original file bq_credentials.json in to a Base64 String.

   $ openssl base64 -in bq_credentials.json -out bq_credentials.bin
  

• Copy the string from the file bq_credentials.bin

• Save this string in a environment variable with the name GOOGLE_AUTH_KEY

• In the NodeJS application a function should be written to parse the string saved in the GOOGLE_AUTH_KEY variable to string. Below is a sample function:

      function atob(a) {
          return Buffer.from(a, 'base64').toString('binary');
      };

• In the NodeJS application, load the google GOOGLE_AUTH_KEY environment like this:

  const encodedCredentials = process.env.GOOGLE_AUTH_KEY

• Convert the Base64 string to the original content of the bq_credentials.json and save it to a variable google_auth.

   const google_auth = atob(encodedCredentials);

• Now you are going to employ NodeJs file system module to save the contents of the google_auth variable to a file. The reason for this is. We want a json file containing the credentials to exist in the deployment filesystem, but at the same time we don't want to manually push the file to the deployment hosting by using Git. A rule about staying safe says: "Never commit any file containing secrets to Git". So the approach we follow here is to convert the file to Base64 String. A Json file will not make sense being stored as an environment variable, however, one can stor a string of characters as an environment variable. We utilize the Base64 string to buid up the file during runtime, and finally, like Google recommends, we map our GOOGLE_APPLICATION_CREDENTIALS to the .json file we created. This way we have our bq_credentials.json file in production and without having to employ Git, thereby keeping our secret safe.

• Here is the code that creates the bq_credentials.json file from the google_auth file which was also created from the Base64 string which was stored as a value in the GOOGLE_AUTH_KEY:

   if (!fs.existsSync('bq.json')) {
       fs.writeFile("bq_credentials.json", google_auth, function (err, google_auth) {
           if (err) console.log(err);
               console.log("Successfully Written to File.");
             });
   }

• And finally the last step, as recommended by google make sure you create and enviroment variable GOOGLE_APPLICATION_CREDENTIALS.json and point it to the file your program will generate, i.e bq_credentials.json

• Your environment variable should look like this:

  GOOGLE_AUTH_KEY : "2SLFJDWRWR9WURJLSFJLJFLJSOUEKRJLSKRJA OUFALR AOFSFJSLFJSOFUWORUORUWRWUEOUROWRUWT9YRUWOU9SUFLS FOHJS9UYF9WURKS HKFJFS" GOOGLE_APPLICATION_CREDENTIALS: "bq_credentials.json"

• Below is a collection of javascript snippets to reference:

  import fs from 'fs';
  
  function atob(a) {
  return Buffer.from(a, 'base64').toString('binary');
  };
  
  try {
  const encodedCredentials = process.env.GOOGLE_AUTH_KEY
  const google_auth = atob(encodedCredentials);
  
  
  if (!fs.existsSync('bq.json')) {
      fs.writeFile("bq.json", google_auth, function (err, google_auth) {
      if (err) console.log(err);
      console.log("Successfully Written to File.");
      });
  }
  
  } catch (error) {
  logger.warn(`Ensure that the environment variable for GOOGLE_AUTH_KEY is set correctly: full errors is given here: ${error.message}`)
  process.kill(process.pid, 'SIGTERM')
  }

  Author @Miravicson