This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

How to authenticate text-to-speech API in a deployed app on Cloud Run?

Posted on 11-13-2024 09:52 PM
durraniu
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

I am using text-to-speech API in a web app. Locally, I can download the JSON for my service account and then get a token from it, e.g., in R:

token <- gargle::credentials_service_account(
path = Sys.getenv("GL_AUTH"),
scopes = "https://www.googleapis.com/auth/cloud-platform"
)

where, GL_AUTH is an environment variable that contains the path to the JSON file. Then I can get access token with token$credentials$access_token. Now, if I deploy this app to Cloud Run with a github repo that contains my app code and text-to-speech API request, how do I get the access_token? GitHub won't allow me to put the JSON file in the repo.

0 1 540
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
ruthseki
Staff
Reply posted on --/--/---- --:-- AM

Hi @durraniu,

Welcome to Google Cloud Community!

Storing your service account key JSON file directly in your GitHub repository is a significant security risk. 

Here are several ways to securely manage your Google Cloud service account credentials in a Cloud Run deployment:

  1. Cloud Run Service Account:
  • Recommended Approach: The best practice is to use a Cloud Run-managed service account. This eliminates the need to manage credentials yourself.
  • How it works: When you deploy your application to Cloud Run, you can link it to a service account that already has the necessary permissions (https://www.googleapis.com/auth/cloud-platform) to access the Text-to-Speech API. Cloud Run automatically provides this service account's credentials to your application through the environment variable GOOGLE_APPLICATION_CREDENTIALS.
  • Implementation:
    1. Create a Service Account: In the Google Cloud Console, create a service account with the appropriate permissions.
    2. Grant IAM Roles: Grant the service account the "Cloud Run Invoker" role on your Cloud Run service, or a more granular role if needed (e.g., "Text-to-Speech User"). This lets the service account make calls to Cloud Run.
    3. Deploy to Cloud Run: During deployment, select the newly created service account. Cloud Run will automatically configure the environment variable GOOGLE_APPLICATION_CREDENTIALS for you.
    4. Code Change (R): Your R code will simplify significantly: You no longer need gargle::credentials_service_account. The googleAuthR package will automatically detect and use the credentials from GOOGLE_APPLICATION_CREDENTIALS.
  1. Google Cloud Secret Manager:
  • Alternative Approach: Store the JSON key in Google Cloud Secret Manager. This is more secure than environment variables, particularly in production environments.
  • How it works: You store the JSON key as a secret. Your Cloud Run service will access the secret using the Secret Manager API. You'll need to give your Cloud Run service account appropriate permissions to access this secret.
  • Implementation:
    1. Store the Secret: Upload your service account key JSON file as a secret in Secret Manager.
    2. Grant Access: Give your Cloud Run service account the "Secret Manager Secret Accessor" role for that secret.
    3. Access the Secret in your Cloud Run application (R): You'll need to use the Secret Manager API (through a client library like googleAuthR or the equivalent for other languages) within your R code to retrieve the secret at runtime. Then, use gargle::credentials_service_account to load credentials from this retrieved JSON. This requires additional code to interact with the Secret Manager API.
  1. Environment Variable with Strict Security:
  • Least Secure: Store the path to the JSON file as a securely-managed environment variable. This is less secure than Secret Manager but can be slightly simpler to set up.
  • How it works: You would set the GL_AUTH environment variable directly in your Cloud Run service settings, rather than relying on a repo.
  • Implementation: This approach requires you to manage the environment variable in the Google Cloud Console for your Cloud Run service. You'll need to deploy the updated JSON file somehow (perhaps a deployment step) and ensure the updated environment variable is set.

Remember to follow Google Cloud's best practices for security and IAM roles to minimize the risk of unauthorized access to your service account. Always use the least privilege principle – grant your service account only the permissions it absolutely needs.

I hope the above information is helpful.

0 Likes