JSON credentials file


Really wanted to get gatsby-source-google-sheets working on this blog, as part of a workflow to collect social media posts elsewhere and display them here.

(For a while I’ve had an IFTTT recipe saving various ‘likes’ and posts, using Google Sheets. When I found g-s-g-s, I realized I could (easily?) convert each spreadsheet entry to a post on Rich Text.)

The g-s-g-s docs make the config clear; but what to do about this line in the options object?

credentials: require('./path-to-credentials-file.json');

Per these instructions, recommended by the g-s-g-s docs though a bit out-of-date, that JSON file will have a private key in it, among other things. Just to get things running, I went ahead and committed the JSON file to my repo, and sure enough everything worked, but in no time I got an email alert from Git Guardian warning me that I’d just stashed a private key in a public repo.

I spent longer than I should have, fiddling with `dotenv` and trying to store pieces of the JSON file in `.env` and in the Build Environment Variables section of Netlify’s dashboard. Nothing ever worked. Newlines, double quotes, carriage returns, single quotes, something was always wrong with the data.

Googling around for more info about how the Google Cloud Platform authenticates “service accounts”, I kept seeing people talking about the JSON file being passed in to the API as a credentials variable.

It’s still not clear to me how others are doing this, without exposing those JSON files in public repos, but it eventually dawned on me that I could stringify and parse the file.

Used the console to quickly stringify the entire service account settings object, and placed that string in my `.env` file. Also pasted in the same string on Netlify. In `gatsby.config`, then, I put

credentials: JSON.parse(process.env.GATSBY_CREDS);

…and I seem to be back on track. The private key and other secrets are kept out of the repo, in a local dotenv file and on Netlify’s build-env-variables page, and I’m still sending the JSON blob to Google’s authentication method.

Would be interested to know if there’s a better way…

This entry was posted on March 20, 2018 with tags