Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is the appropriate way to manage API secrets within a Google Apps script?

Tags:

security

authorization

google-apps-script

secret-key

key-management

If I write a google apps script, and within the script I need to invoke third party APIs or make database calls, what is the appropriate way of managing secret API keys and passwords?

Is there any risk in placing the secrets directly within the script if I publish the script as an API but don't share access to the Google Drive location that contains the Google Apps script

like image 400
Master_Yoda Avatar asked Nov 07 '18 20:11

Master_Yoda

People also ask

What is the best place to store secret API keys?

Often your app will have secret credentials or API keys that you need to have in your app to function but you'd rather not have easily extracted from your app. If you are using dynamically generated secrets, the most effective way to store this information is to use the Android Keystore API.

What are best practices for storing and protecting private API keys in applications?

Solution: We can use NDK to Secure API Keys. We can store keys in the native C/C++ class and access them in our Java classes.

1 Answers

There is no right or wrong answer. There are numerous factors to consider:

  • If this is for/in G-Suite, then your G-Suite admins'll have (or can get) access to anything. This may or may not be an issue.
  • If you put the data in a sheet, anyone that has read access to the sheet can see the data.
  • You can use PropertiesService but then folks can access as explained in the documentation. User properties is one way but may not work in all use-cases -- like if another user is executing the code. You could use installable triggers if that is do-able for your use-case.
  • If folks need to be able to make the API call with your key, you could write a proxy web-app that they can call but not see source for.
like image 111
IMTheNachoMan Avatar answered Oct 20 '22 17:10

IMTheNachoMan
Sign in to Comment

Related questions

Is it advisable to store a hashed password in a cookie?
Does Tomcat support TLS v1.2?
POST request with a self-signed certificate
Javascript Comments are security risk?
IIS7, SQL 2008 and ASP.NET MVC security
What is the recommended way to encrypt user passwords in a database?
Secure Password Hashing
How do I prevent replay attacks?
JBoss AS 7.1 - datasource how to encrypt password
Generate a Secure Random Password in Java with Minimum Special Character Requirements
Simple example of Spring Security with Thymeleaf
Does PHP's $_REQUEST method have a security problem?
Website hacking - Why it is always possible to do?
How do you protect code from leaking outside? [duplicate]
What techniques do you use when writing your own cryptography methods? [closed]
Generate cryptographically secure random numbers in php
Time bomb needed in ASP.NET application
How should i solve my method access security in c#?
How robust is nodejs as an http server? [closed]
Nodejs createCipher vs createCipheriv

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!