How to set GOOGLE_APPLICATION_CREDENTIALS running on GCP Appengine

4
votes

I am using windows for running local appengine for my golang project. I was getting googleapi: Error 403: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource 'projects/xxxx/locations/xxxx/keyRings/xxx/cryptoKeys/xxx' (or it may not exist)., forbidden. Then I resolved by setting environment variable GOOGLE_APPLICATION_CREDENTIALS with the value of service account xxxx.json. Then deployed in GCP appengine it return same error googleapi: Error 403..... So how to set GOOGLE_APPLICATION_CREDENTIALS in GCP appengine.

3
google-app-enginegogoogle-cloud-platform

3 Answers

5
votes

The problem that you are having is caused by developing/testing in two environments: your desktop and App Engine. This problem is easy to solve in a clean and secure way.

When developing/testing on your desktop, use a service account. Use an environment variable to specify the service account.

On Windows:

set GOOGLE_APPLICATION_CREDENTIALS=c:\fullpath\serviceaccount.json

On Linux:

export GOOGLE_APPLICATION_CREDENTIALS=/fullpath/serviceaccount.json

You can run the previous command manually at the command prompt or put it into a startup script (Linux) or a system environment variable (Windows).

For App Engine, I do not recommend using a service account file in your application. I also do not recommend setting the environment variable.

Google Client libraries support Application Default Credentials (ADC). This means that the libraries will attempt to find credentials for you automatically. The Client libraries can then use the environment to find the service account to use on Windows and automatically use the App Engine Default Service Account when deployed.

Google Cloud Application Default Credentials]

By including ADC in your code, you can test on Windows/Linux and deploy to App Engine without modifying your code and without the security risks of including a service account JSON file in your deployment.

0
votes

You need to set up IAM permissions to use the encrypt feature.

You can do that by using the following command with your service account's details:

gcloud kms keys add-iam-policy-binding \
  golden-egg --location global --keyring golden-goose \
  --member serviceAccount:[email protected] \
  --role roles/cloudkms.cryptoKeyEncrypterDecrypter

Here is a community post that already touched the subject and can give you some more information and documentation.

Let me know if this helped you.

0
votes

Another answer:

In your console, Under IAM -> Service Accounts you will be able to find the service account associated with your app engine instance:

enter image description here

You can edit the permissions there or via the command line.

Sometimes it's easier to do things via the UI