How can I authenticate to Google Cloud as my service account?

I am attempting to implement back-end support my mobile app which needs to securely utilize the Google Cloud APIs relating to Google Play Billing. I have successfully created the required Google service account, and am getting push notifications from Google Cloud to my back-end, which I can decode and use.

In a nutshell, when I get a push notification from Google that a mobile app user of mine has purchased a subscription using the app, I need to be able to call back into the Google Cloud API to gather more information about that purchase, in order to update their account status in my back-end collections.

To do this requires that I set up various pieces on the Google Cloud side and then generate a private key associated with my Google service account (all of which I have done).

My problem is all the examples I have been able to find showing server-to-server access to Google Clound show using an environmental variable GOOGLE_APPLICATION_CREDENTIALS which is supposed to then hold the path to that .json service account key file. I don’t see any way to support this using Velo.

I did find this post , which looked promising except that the APIs I am trying to use (example here ) don’t seem to have the equivalent option of passing the private service account key to authenticate as the service account to then make that API call.

Is there an example of how to do this somewhere that someone could point me to?

I did install the googleapis node module, and have been perusing the documentation , but I’m a bit uncertain how to implement this in a Velo context.

Thanks!

For anyone reading this post, I got a solution through various Googling and experimenting. Here is a short example of my back-end calling in to have my Google Cloud service account fetch the list of in-app products I’ve defined there for my Android mobile app:

  const serviceAccountKeyFilename = await getSecret(SERVICEACCOUNTNAME_KEY);
  const {google} = require('googleapis');
  const googleAuth = new google.auth.GoogleAuth({
      keyFile: __dirname + '/' + serviceAccountKeyFilename,
      scopes: ['https://www.googleapis.com/auth/androidpublisher'],
  });
  // set auth as a global default for all requests
  google.options({auth: googleAuth});
  const publisher = google.androidpublisher('v3');
  const result = await publisher.inappproducts.list({
       packageName: '<YOUR APP PACKAGE NAME HERE>'
  });

The key here is to upload the .json service account key file into the Wix back-end, then obtain the full path/filename to reference it that can be passed into the authentication call. The variable __dirname is what I was missing and returns that back-end path to which you can append the proper filename.

I chose to hide the name of this .json keyfile and fetch it from the secrets area as an added layer of security.