Generate credentials file at startup, not build time

[dmathieu]

The config var value can be changed at any moment, and doing so
shouldn't require a new deployment.
Generating this file at build time also means it's not possible to use
Heroku Pipelines, as a promotion doesn't trigger a new deployment.

[marcmetz]

Hey dmathieu can you tell me if I have to change the GOOGLE_APPLICATION_CREDENTIALS to /app/google-credentials.json or similar? I added the code to my own app under bin/pre_compile but I only see the first ------> Generating .profile.d file to generate google-credentials.json at startup not the second one echo $GOOGLE_CREDENTIALS. The main problem is that the authentication doesn't work. Or is the reason that the env vars are not loaded yet on pre_compile?

[dmathieu]

The echo won't be displayed. It's sent to the .profile.d file. When you run a one-off dyno with the heroku run command, is the file generated by this change available on disk? And is the config written?

For reference, here is the doc on profile.d scripts: https://devcenter.heroku.com/articles/buildpack-api#profile-d-scripts

[marcmetz]

The problem seems to be that " are missing around the credentials in the config vars.

{
      "type": "service_account",
      "project_id": "natural-language-254706",
      "private_key_id": "XXX",
      "private_key": "-----BEGIN PRIVATE KEY-----\nXXXXX\n-----END PRIVATE KEY-----\n",
      "client_email": "abc@natural-language-254706.iam.gserviceaccount.com",
      "client_id": "12345",
      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
      "token_uri": "https://oauth2.googleapis.com/token",
      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
      "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/starting-account-5yzg5dipgu01%40natural-language-254706.iam.gserviceaccount.com"
    }

However, when I try to add them manually they always get deleted:
echo "echo '$GOOGLE_CREDENTIALS' > /app/google-credentials.json" > $BUILD_DIR/.profile.d/google-credentials.sh

That leads to the error here. The original version by elishaterada, however, works for me.

[dmathieu]

Thank you @marcmetz. I've added escaping of the content.
It relies on bash 4.4, meaning this will only work on the heroku-18 stack: https://devcenter.heroku.com/articles/stack-packages

cedar-14 is already deprecated anyway, and heroku-16 will be in april.

[elishaterada]

@marcmetz are you able to use heroku-18 stack and test this out?

[marcmetz]

I just tested it. It works. Thank you!

[elishaterada]

@dmathieu @marcmetz thank you!