I know that the Google Cloud environment has tons of solutions for encryption but I keep ultimately running in circles and finding myself holding my own key when it should be unknown to the application.
My current strategy is:
import os
os.environ['GOOGLE_APPLICATION_CREDENTIALS']='<my_google_user>.json'
Set my secret with payload in google cloud via Python (longer code omitted for conciseness)
Access my secret as dictionary to access directly later in code.
client = secretmanager.SecretManagerServiceClient()
sf_str = client.access_secret_version(request={"name":<my_version_name>}).payload.data.decode("utf-8")
sf_cred = json.loads(sf_str)
So my question is how can I encrypt my google application credentials json?
I am very new to this environment and workflows involving encryption so please be precise with python or cloud terminal examples. Feel free to knock the security of my strategy as a whole so that I may learn a better one.
P.S. I have created a Cryptographic Key in Google Cloud Platform if that is a step but don't know how to use/automate it in this 12hr recurring task I want to use in setting up this password access.
Not sure if I understand your question correctly.
You might not need the credentials file at all.
Your code in the cloud is executed by App Engine, or Cloud Function, or Cloud Run, etc. under some service account. It can be a default service account, or a specifically created service account. For example: Using the Default App Engine Service Account
In order to access a secret in the Secret Manager, it may be enough to add/assign relevant IAM roles to the service account which executes the code to access those secrets. For example - to add IAM roles to the default app engine service account.
Secret Manager IAM is described here: Access control
Most likely a roles/secretmanager.secretAccessor role may be enough. In that case your code will be able to get the secret value, and subsequently use it.