Google Cloud service accounts are designed to authenticate and authorize requests to Google APIs.
If your application interacts with Google Cloud services then it requires a service account to access all the resources it needs to functionproperly. Resources that can be accessed depend on the permission granted to the service account. Establishing the identity of a service accountrelies on a public/private key pair. It’s common for private keys to be distributed through a JSON file that your application will then use to consumeGoogle APIs.
A key may authenticate to a high privilege which has unrestricted access to all resources in your Google Cloud project, including billinginformation.
Recommended Secure Coding Practices
Only administrators should have access to the service account key used by your application.
As a consequence, service account keys should not be stored along with the application code as they would grant special privileges to anyone whohas access to the application source code.
Keys should be stored outside of the code in a file that is never committed to your application code repository.
If possible, a better alternative is to use your cloud provider’s service for managing secrets. On Google Cloud this service is called Secret Manager.
When keys are disclosed in the application code, consider them as compromised and revoke them immediately.
See
