From dbe44e627ae630585ab2dbd317cda6c99a440828 Mon Sep 17 00:00:00 2001 From: Marwan Sulaiman Date: Mon, 25 Feb 2019 18:16:13 -0500 Subject: [PATCH] storage/gcp: use base64 for json key (#1089) --- config.dev.toml | 9 ++++----- pkg/storage/gcp/gcp.go | 7 ++++++- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/config.dev.toml b/config.dev.toml index f918a80f..33bfe17a 100755 --- a/config.dev.toml +++ b/config.dev.toml @@ -182,15 +182,14 @@ SingleFlightType = "memory" # Env override: ATHENS_STORAGE_GCP_BUCKET Bucket = "MY_GCP_BUCKET" - # JSONKey allows Athens to be run outside of GCP + # JSONKey is a base64 encoded service account + # key that allows Athens to be run outside of GCP # but still be able to access GCS. If you are - # running Athens inside GCP, you will most + # running Athens inside GCP, you will most # likely not need this as GCP figures out # internal authentication between products for you. - # Pro tip: if you are pasting this as a JSON inside a string, - # make sure you escape "\n" by making it "\\n". # Env override: ATHENS_STORAGE_GCP_JSON_KEY - JSONKey = "SERVICE_ACCOUNT_KEY" + JSONKey = "" [Storage.Minio] # Endpoint for Minio storage diff --git a/pkg/storage/gcp/gcp.go b/pkg/storage/gcp/gcp.go index b6c6b592..8c81863e 100644 --- a/pkg/storage/gcp/gcp.go +++ b/pkg/storage/gcp/gcp.go @@ -2,6 +2,7 @@ package gcp import ( "context" + "encoding/base64" "fmt" "time" @@ -31,7 +32,11 @@ func New(ctx context.Context, gcpConf *config.GCPConfig, timeout time.Duration) opts := []option.ClientOption{} if gcpConf.JSONKey != "" { - creds, err := google.CredentialsFromJSON(ctx, []byte(gcpConf.JSONKey), storage.ScopeReadWrite) + key, err := base64.StdEncoding.DecodeString(gcpConf.JSONKey) + if err != nil { + return nil, errors.E(op, fmt.Errorf("could not decode base64 json key: %v", err)) + } + creds, err := google.CredentialsFromJSON(ctx, key, storage.ScopeReadWrite) if err != nil { return nil, errors.E(op, fmt.Errorf("could not get GCS credentials: %v", err)) }