Skip to main content

Google Cloud Credentials: The Most Dangerous JSON File

The "Download Key" Habit

Google Cloud Platform (GCP) uses Service Accounts for machine-to-machine authentication. To use them locally, developers often download a JSON key file (e.g., service-account-key.json).

This file contains the private_key block. It is the equivalent of a root password for that identity.

Why They Leak

In AI/ML projects, these keys leak constantly because:

  1. Easy Integration: Libraries like gspread (Google Sheets) or BigQuery require the path to this JSON file.
  2. Lazy Commits: Developers run git add ., accidentally including the JSON file sitting in the root directory.
  3. Docker Images: Copying the key into a Docker container that gets pushed to a public registry.

The Anatomy of a Leak

A GCP key file is easily recognizable. It always contains specific fields:

{
  "type": "service_account",
  "project_id": "my-company-prod",
  "private_key_id": "...",
  "private_key": "-----BEGIN PRIVATE KEY-----\n..."
}

If an attacker finds this, they can authenticate as that service account from anywhere in the world. If the account has Editor or Owner permissions, your entire cloud infrastructure is compromised.

Moving Beyond Keys

The best way to secure GCP keys is not to use them.

  • Workload Identity Federation: Allow AWS/GitHub/Azure to impersonate a GCP Service Account without downloading a JSON key.
  • User Credentials: Use gcloud auth application-default login for local development.

Automated Detection

You need a scanner that looks inside JSON files. Veritensor scans for the specific structure of GCP credentials, ensuring that even if you rename the file to config.json, it will still be flagged as a critical secret.

veritensor scan .
# Output: CRITICAL: Google Cloud Service Account Key detected