I am using a chamber, a tool for managing secrets.
Basically, it populates the environment with the secrets from the specified services and executes the given command.
Eg: chamber exec script.sh
Will use the env vars defined on chamber inside script.sh.
I want to do the same with google cloud service account, in order to use Google SQL Proxy.
Problem is, GOOGLE_APPLICATION_CREDENTIALS env var is a path to a JSON file and not the actual value.
I can easily store the JSON on chamber, but I can't use it as an env var unless I copy the value into a JSON file and pass the path to the env var.
For security reasons, I don't want to store the JSON file inside my production instance.
I know that I can use gcloud auth login to authenticate the user, but I didn't want to install unnecessary libraries.
I could also use a token:
./cloud_sql_proxy -instances=INSTANCE_NAME -token=TOKEN_VALUE
The problem is that the token expires really quickly.
If I could convert the service account JSON file into a base64 string and use it as a token it would be perfect.
Long story short:
I would like to store the google cloud auth secrets on my management secrets tool and use it with the cloud_sql_proxy.
My code is running on aws ec2.
The naive approach that I can think of would be adding the JSON file, authenticate, and then delete the file... I am using packer to generate the instance image.
Any idea how can I achieve this?