14

If I write a google apps script, and within the script I need to invoke third party APIs or make database calls, what is the appropriate way of managing secret API keys and passwords?

Is there any risk in placing the secrets directly within the script if I publish the script as an API but don't share access to the Google Drive location that contains the Google Apps script

Master_Yoda
  • 842
  • 7
  • 17
  • 4
    For example, how about using Web Apps to your situation? I think that you can use the secret keys in the script of Web Apps. A sample flow is as follows. 1. Create the script using Google Apps Script including the secret keys. 2. Deploy it as Web Apps. 3. You call the Web Apps like an API and retrieve the values by running the script. In this case, the ID including the endpoint of Web Apps is not script ID and also the script is not required to be shared. https://developers.google.com/apps-script/guides/web If this was not what you want, I'm sorry. – Tanaike Nov 07 '18 at 22:44
  • 4
    Also, store it in [User Properties](https://developers.google.com/apps-script/reference/properties/properties-service#getUserProperties()) – TheMaster Nov 08 '18 at 01:53
  • @OP - Did you manage to find a better solution than keeping it in script? – Anshu Prateek Jun 30 '19 at 08:54
  • 1
    @Anshu Prateek unfortunately user properties seems to be the only alternative. it's not a great soliton. – Master_Yoda Jun 30 '19 at 13:10
  • @Master_Yoda Why is user properties not a great solution? – IMTheNachoMan Dec 11 '19 at 03:48
  • @IMTheNachoMan One reason: If you share the script, everyone can see the user properties. – Master_Yoda Dec 11 '19 at 15:31
  • @Master_Yoda the UserProperties is different on a user-by-user basis. If you are wanting to be able to share a script but still keep it secret you might need to look into publishing an Add-On which will allow you to keep your code secret while allowing the process to be open. – Rob Dec 31 '19 at 00:16
  • @Master_Yoda No they won't. user properties is private to the user setting the property. – TheMaster Mar 21 '20 at 14:55
  • @Rob - Good to know. Still unfortunately doesn't help because other people should be able to invoke the script when I share. – Master_Yoda Sep 04 '20 at 02:11
  • Because that's what Google does, the UserProperties have been deprecated. Sigh. – dannysauer Feb 17 '21 at 20:29

1 Answers1

4

There is no right or wrong answer. There are numerous factors to consider:

  • If this is for/in G-Suite, then your G-Suite admins'll have (or can get) access to anything. This may or may not be an issue.
  • If you put the data in a sheet, anyone that has read access to the sheet can see the data.
  • You can use PropertiesService but then folks can access as explained in the documentation. User properties is one way but may not work in all use-cases -- like if another user is executing the code. You could use installable triggers if that is do-able for your use-case.
  • If folks need to be able to make the API call with your key, you could write a proxy web-app that they can call but not see source for.
IMTheNachoMan
  • 3,689
  • 1
  • 21
  • 52