GOOGLE_APPLICATION_CREDENTIALS contains credentials instead of path to credentials.json

[arvindth]

This section of cloud-secret.yaml loads the credential material into the GOOGLE_APPLICATION_CREDENTIALS environment variable, similar to the AWS_ACCESS_KEY_ID and other AWS credentials.

However, the GOOGLE_APPLICATION_CREDENTIALS environment variable is meant to hold the path to the credentials file on disk, and not the credential itself.

I've worked around this by mounting the file from the secret myself:

    extraVolumes:
      - name: spire-server-cloud
        secret:
          secretName: spire-server-cloud
    extraVolumeMounts:
      - name: spire-server-cloud
        mountPath: /run/spire/secrets/cloud_secrets
        readOnly: true

and using the service_account_file field to point to the file on disk.

However, I think this has security implications because if you don't use the service_account_file override, the server error when trying to load the credentials file from the GOOGLE_APPLICATION_CREDENTIALS environment variable dumps the contents to the logs of the agent trying to attest, exposing the private key.

{"error":"failed to receive attestation response: rpc error: code = Internal desc = nodeattestor(gcp_iit): failed to fetch instance metadata: failed to create compute service client: open {\n  \"type\": \"service_account\",\n  \"project_id\": \"REDACTED\",\n  \"private_key_id\": \"REDACTED\",\n  \"private_key\": \"-----BEGIN PRIVATE KEY---- ...  \"universe_domain\": \"googleapis.com\"\n}: file name too long","level":"error","msg":"Agent crashed","time":"2024-11-01T03:39:06Z"}