How to Upload a JSON File with Secret Keys to Heroku

How to upload a json file with secret keys to Heroku

By search github I found that someone had used a different method that used a JSON string as an argument rather than a file path: Google::APIClient::ClientSecrets.new(JSON.parse(ENV['GOOGLE_CLIENT_SECRETS']))

This lets me wrap up the JSON into an ENV VAR. The world makes sense again.

How to upload a json file with secret keys to Heroku

By search github I found that someone had used a different method that used a JSON string as an argument rather than a file path: Google::APIClient::ClientSecrets.new(JSON.parse(ENV['GOOGLE_CLIENT_SECRETS']))

This lets me wrap up the JSON into an ENV VAR. The world makes sense again.

Reading secret config file on Heroku without using env vars

Was answered by the lovely folks over at GoogleCloudPlatform: https://github.com/GoogleCloudPlatform/gcloud-node/issues/761

It's not mentioned in the code sample in the documentation, but you can just add a credentials object and pass that to your config. The credentials object can read env vars.

More information here: https://googlecloudplatform.github.io/gcloud-node/#/authorization.

Updated link: https://googleapis.dev/nodejs/pubsub/latest/global.html#ClientConfig

Load JSON file's content to Heroku's environment variable

Depending on which library you are using for communicating with Speach API you may use several approaches:

1. You may serialize your JSON data using base64 or something similar and set resulting string as one environment variable. Than during you app boot you may decode this data and configure your client library appropriately.

2. You may set each pair from credentials file as separate env variables and use them accordingly. Maybe library that you're using support authentication using GOOGLE_ACCOUNT_TYPE, GOOGLE_CLIENT_EMAIL and GOOGLE_PRIVATE_KEY similar to the ruby client that you're linking to.

EDIT:
Assuming that you are using google official client library, you have several options for authenticating your requests, including that you are using (service account): https://googlecloudplatform.github.io/google-cloud-python/latest/core/auth.html You may save your credentials to the temp file and pass it's path to the Client object https://google-auth.readthedocs.io/en/latest/user-guide.html#service-account-private-key-files (but it seems to me that this is very hacky workaround). There is a couple of other auth options that you may use.

EDIT2:
I've found one more link with the more robust approach http://codrspace.com/gargath/using-google-auth-apis-on-heroku/. There is ruby code, but you may do something similar in Python for sure.

How can I add a secret file to Heroku that I don't want on the GitHub source (Python)

I’d strongly recommend not to complicate your deployment strategy by having different files in your deployment than your version control. You run the risk of missing steps when deploying and breaking your release. Instead, the recommended approach is to use Heroku Config Vars to store secrets such as credentials and keys, as these will persist across releases, see https://devcenter.heroku.com/articles/config-vars for details.

Add Firebase Storage service credentials in json file to Heroku config vars for a spring boot app

I finally got an idea from discussions with a friend on a way to go about this. First, I had to create a class that contains fields to hold the contents of the json credentials. The class is as follows:

public class FirebaseCredential {
private String type;
private String project_id;
private String private_key_id;
private String private_key;
private String client_email;
private String client_id;
private String auth_uri;
private String token_uri;
private String auth_provider_x509_cert_url;
private String client_x509_cert_url;

public String getType() {
    return type;
}

public String getProject_id() {
    return project_id;
}

public String getPrivate_key_id() {
    return private_key_id;
}

public String getPrivate_key() {
    return private_key;
}

public String getClient_email() {
    return client_email;
}

public String getClient_id() {
    return client_id;
}

public String getAuth_uri() {
    return auth_uri;
}

public String getToken_uri() {
    return token_uri;
}

public String getAuth_provider_x509_cert_url() {
    return auth_provider_x509_cert_url;
}

public String getClient_x509_cert_url() {
    return client_x509_cert_url;
}

public void setType(String type) {
    this.type = type;
}

public void setProject_id(String project_id) {
    this.project_id = project_id;
}

public void setPrivate_key_id(String private_key_id) {
    this.private_key_id = private_key_id;
}

public void setPrivate_key(String private_key) {
    this.private_key = private_key;
}

public void setClient_email(String client_email) {
    this.client_email = client_email;
}

public void setClient_id(String client_id) {
    this.client_id = client_id;
}

public void setAuth_uri(String auth_uri) {
    this.auth_uri = auth_uri;
}

public void setToken_uri(String token_uri) {
    this.token_uri = token_uri;
}

public void setAuth_provider_x509_cert_url(String auth_provider_x509_cert_url) {
    this.auth_provider_x509_cert_url = auth_provider_x509_cert_url;
}

public void setClient_x509_cert_url(String client_x509_cert_url) {
    this.client_x509_cert_url = client_x509_cert_url;
}}

I then created the following environment properties to hold the values of the json credentials file:

FIREBASE_BUCKET_NAME=<add-the-value-from-config.json>
FIREBASE_PROJECT_ID=<add-the-value-from-config.json>
FIREBASE_TYPE=<add-the-value-from-config.json>
FIREBASE_PRIVATE_KEY_ID=<add-the-value-from-config.json>
FIREBASE_PRIVATE_KEY=<add-the-value-from-config.json>
FIREBASE_CLIENT_EMAIL=<add-the-value-from-config.json>
FIREBASE_CLIENT_ID=<add-the-value-from-config.json>
FIREBASE_AUTH_URI=<add-the-value-from-config.json>
FIREBASE_TOKEN_URI=<add-the-value-from-config.json>
FIREBASE_AUTH_PROVIDER_X509_CERT_URL=<add-the-value-from-config.json>
FIREBASE_CLIENT_X509_CERT_URL=<add-the-value-from-config.json>

With the properties set up, it is possible to read the environment values and set them in a FirebaseCredential object, serialize the object to a json string and finally convert it to an InputStream object as seen below:

 private InputStream createFirebaseCredential() throws Exception {
    //private key
    String privateKey = environment.getRequiredProperty("FIREBASE_PRIVATE_KEY").replace("\\n", "\n");

    FirebaseCredential firebaseCredential = new FirebaseCredential();
    firebaseCredential.setType(environment.getRequiredProperty("FIREBASE_TYPE"));
    firebaseCredential.setProject_id(projectId);
    firebaseCredential.setPrivate_key_id("FIREBASE_PRIVATE_KEY_ID");
    firebaseCredential.setPrivate_key(privateKey);
    firebaseCredential.setClient_email(environment.getRequiredProperty("FIREBASE_CLIENT_EMAIL"));
    firebaseCredential.setClient_id(environment.getRequiredProperty("FIREBASE_CLIENT_ID"));
    firebaseCredential.setAuth_uri(environment.getRequiredProperty("FIREBASE_AUTH_URI"));
    firebaseCredential.setToken_uri(environment.getRequiredProperty("FIREBASE_TOKEN_URI"));
    firebaseCredential.setAuth_provider_x509_cert_url(environment.getRequiredProperty("FIREBASE_AUTH_PROVIDER_X509_CERT_URL"));
    firebaseCredential.setClient_x509_cert_url(environment.getRequiredProperty("FIREBASE_CLIENT_X509_CERT_URL"));
    //serialization of the object to json string
    ObjectMapper mapper = new ObjectMapper();
    String jsonString = mapper.writeValueAsString(firebaseCredential);

    //convert jsonString string to InputStream using Apache Commons
    return IOUtils.toInputStream(jsonString);
}

The resulting InputStream object is used to initialize the Firebase Storage or Admin as the case may be.

InputStream firebaseCredentialStream = createFirebaseCredential();
StorageOptions.newBuilder()
            .setProjectId(projected)                 
       .setCredentials(GoogleCredentials.fromStream(firebaseCredentialStream))
       .build();

Using Environment Variables as Credentials on Heroku

Thanks God I finally Solved this issue Instead of Using Environment Variables which have the credentials file name and the json credential script and then using Buildpack to Generate local path You Just need to Create New Json File then write the credentials script inside and finally pass the new Json File name as a parameter to the LoadCredentialsFile Function Like This:

firebase_credentials = {
  "type": "",
  "project_id": "",
  "private_key_id": "",
  "private_key": "-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----\n",
      "client_email": "",
      "client_id": "",
      "auth_uri": "",
      "token_uri": "",
      "auth_provider_x509_cert_url": "",
      "client_x509_cert_url": ""
    }
    with open("firebase_credentials.json", "w") as write_file:
        json.dump(firebase_credentials, write_file)
    cred_obj = firebase_admin.credentials.Certificate('firebase_credentials.json')

Issue with .gitignore file and trying to run an app on heroku

What you are looking for are config variables
After you added them you can load them just like any other environment variables.

---

Related Topics