How to read Secret Manager secrets as file (e.g. GOOGLE_APPLICATION_CREDENTIALS as Json)?

Question

So far I would point GOOGLE_APPLICATION_CREDENTIALS to the file which stores the service-account (SA) credentials for the Firebase SA e.g. GOOGLE_APPLICATION_CREDENTIALS=/path/to/credentials.json.

@Value("${api-key.google.application-credentials}")
private String googleCredentials;


@Bean
public FirebaseApp firebaseApp() throws IOException {

    LOGGER.info("Initializing Firebase.");

    FileInputStream serviceAccount = new FileInputStream(googleCredentials);
    FirebaseOptions options = FirebaseOptions.builder()
            .setCredentials(GoogleCredentials.fromStream(serviceAccount))
            .build();

    if (FirebaseApp.getApps().isEmpty()) {
        return FirebaseApp.initializeApp(options);
    }

    return FirebaseApp.getApps().get(0);
}

Moving towards deployment, I've decided to go with GCPs Secret Manager.

I was wondering if I can read a secret-value "as file" such that the code above works with

api-key:
  google:
    application-credentials: ${sm://GOOGLE_APPLICATION_CREDENTIALS}

as well as

api-key:
  google:
    application-credentials: ${GOOGLE_APPLICATION_CREDENTIALS:google-credentials.json}

or is there another way this should be done?

I know I have the option to just use the raw JSON and create a temporary file which I'd pass to GoogleCredentials.fromStream() but that's just weird. Am I missing something?

Answer 1

As per previous comment:

When using Google Cloud Run, a service account key file is not needed. Client libraries will automatically access the credentials of the runtime environment because of the Application Default Credentials (ADC). Cloud Run has a metadata server that exposes the credential of the current runtime environment. Additional information can be found through this link on Service Identity.