Question: Google service account JSON security

[archenroot]

Hi,

its my first flutter app dev, I make images and store them in bucket in google cloud storage. I originally developed cloud run java API which eventually might use keycloack oauth tokens as input from flutter for auth while later it will use google service account. But its slowing down process and I found this plugin as well, so instead I want to use this plugin directly, but how to secure google service account json file in flutter app, so I can load it later into google and apple stores?

I didn't find any clear answer to this while googling.

If I do something like device registration process with keycloack, then I can use it to emit short lived tokens for app. This will be the way, but I don't its good practice to store sa json file directly in flutter code...

Thanks for hints

[jonasfj]

but how to secure google service account json file in flutter app, so I can load it later into google and apple stores?

I think use of exported service account keys is generally discouraged whenever it can be avoided. Hard coding such keys in a Flutter app is definitely not something I would recommend.

I think in general, I would write a CloudRun app for uploading files, and not use GCP APIs directly from a Flutter app. One could also use CloudRun to create signed-upload URLs, that way you off-load the actual upload process to GCS. Details of how to do this is beyond the scope of this package.

In general, I think many parts of this package is aimed at people writing serverside applications in Dart.