Hello! What is the best way (or proper way) to pass the service account credential json key to the enrich component?

Right now I have an enrich server setup with an instance template. The json key is hard coded in the startup-script (which is probably not good…I would be surprised otherwise…). I’m seen some examples where the key has been copied from cloud storage, not sure it is better (or yes?)

As my experience is more than limited on this aspect, I would be happy to hear about any ideas.


Hey @simonbreton the better way is to generally bind the service account to your GCP service and let it figure out the key exchange for you.

As an example in our quickstart examples we bind the custom service account to the instance group - when an instance is launched the service account is available to the Enrich process running on the server (no more passing around account credential JSONs).

You can do a similar thing with Kubernetes service accounts and annotating them with the GCP service account so again credentials are pulled in dynamically.

Generally speaking it is bad practice to have to pass around JSON keys as you then have to also handle rotations and the risk of leaking the key.

Hope this helps!

Quickstart example for reference: terraform-google-enrich-pubsub-ce/ at main · snowplow-devops/terraform-google-enrich-pubsub-ce · GitHub

1 Like

Make sense! Thanks a lot!

1 Like

No worries!