How to use two jsons using secrets to authenticate to google in java

1/6/2020

Do to companies restriction, I have to use different service accounts for different google services.

One of the accounts is for pubsub and a second one is for bigquery.

I've gotten the pubsub authentication to work with spring.

Snippet

    @Autowired
private ClientConfiguration clientConfiguration;
private Context context = new Context();
.
.
.
context.setClientConfiguration(clientConfiguration);
String projectId = clientConfiguration.getSubscriptionProjectDefault();
List<ReceivedMessage> receivedMessageList = getPubSubMessages(projectId, clientConfiguration.getSubscriptionNameDefault(), Integer.parseInt(clientConfiguration.getNumMaxOfMessages()));

When doing these steps for bigquery, the path to the secret is "/secret/secret_name". When doing what the URL says, I get a nullpointerexception in the File. Here is the snippet:

log.debug("PATH_BIG_QUERY_CREDENTIALS:"+System.getenv("PATH_BIG_QUERY_CREDENTIALS"));
String pathBigQueryCredentials = System.getenv("PATH_BIG_QUERY_CREDENTIALS");

File credentialsPath = new File(pathBigQueryCredentials);

FileInputStream serviceAccountStream = new FileInputStream(credentialsPath);
GoogleCredentials credentials = ServiceAccountCredentials.fromStream(serviceAccountStream);

BigQuery bigquery = BigQueryOptions.newBuilder().setCredentials(credentials).build().getService();

What is the correct way to use a second service account? This is a non negotiable :(

-- GriffiN
google-authentication
google-bigquery
java
kubernetes-secrets
publish-subscribe

1 Answer

1/8/2020

The answer actually was in the deployment.yaml

To mount multiple secrets it needs to be the following:

---
# POD - API configuration (with Google Endpoints)
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: event-keeper-acl
spec:
  # Number of replicas
  replicas: 1
  template:
    metadata:
      labels:
        app: app_name
        tier: backend
    spec:
      containers:
        - name: app_name
          image: REGISTRY_HOSTNAME/PROJECT_ID/REPOSITORY_NAME:IMAGE_TAG
          imagePullPolicy: Always
          ports:
            - containerPort: 8080
          env:
            - name: GOOGLE_APPLICATION_CREDENTIALS
              value: "/secret/secret_name_1"
            - name: PATH_BIG_QUERY_CREDENTIALS
              value: "/secret/secret_name_2"
          volumeMounts:
            - name: service-secrets
              mountPath: /secret
              readOnly: true
          envFrom:
            - configMapRef:
                name: app-name-config-map
      volumes:
        - name: service-secrets
          projected:                  # <----- THIS ENABLES MULTIPLE SECRETS IN SAME MOUNT POINT
            sources:
            - secret:
                name: secret_name_1
            - secret:
                name: secret_name_2
-- GriffiN
Source: StackOverflow