I'm using Github actions to deploy my project on the cloud using Docker. I need to install some private packages hosted on the GCP artefact registry.
I am using google-artifact-registry-auth to authenticate the cloud and generate an action token. It needs a service account JSON key file to be exported as a GOOGLE_APPLICATION_CREDENTIALS variable.
I can't push a JSON key file into code due to security reasons. It only accepts key files and does not support direct file content. I would have added that if it were supporting file content by reading GitHub secrets.
How do I create a JSON file using workflow actions and use that inside a Docker container?
The recommended method to load JSON objects into GithubActions is to use a base64 encoded JSON string, which you can then decode in your Dockerfile. Refer to this Medium Blog written by Vera on Using JSON in your GitHub Actions when authenticating with GCP for more information, which may help to resolve your issue.
Also check below safe methods on how to install the private packages and authenticate your Docker container to the GCP Artifact Registry.
Google Cloud workflow and secret manager:
Consider utilizing Google Cloud Workflow. Use Google Cloud workflows for deployment if your project is already on Google Cloud. Interact easily with the Secret Manager to handle and save service account keys safely without storing them in a repository.
You can use the google cloud secret manager action to retrieve the JSON key file from Secret Manager and store it in a temporary file. Utilize the Secret Manager API in your workflow to access the key. Get the key safely using the secret manager API and then send it to your Docker container.
Workflow secrets and environment variables:
Although it's not ideal to push the complete service account JSON key, you can split it up into smaller, less sensitive chunks and save as secrets. See this Github doc on Using Secrets in GitHub Actions for more details. This guide covers how to create, manage and utilize the secrets in your workflows. It also describes many methods for setting secrets, such as using environment variables, the UI, or the CLI.
Construct the JSON Key dynamically within the workflow and use environment variables stored in secrets to construct the key dynamically within your workflow script this reduces the amount of sensitive information stored directly.
The created keys are then mounted as volume and mounted to a specific location inside your Docker container, enabling secure key access for the container.