Support setting a service account key as an env var

[ryboe]

Currently, if you want to run the proxy with a service account, you pass the -credential_file=/path/to/key.json flag. Deploying this file is a headache, especially if you're using VMs with ephemeral storage or running the proxy in a container.

Since I'm using the containerized cloud_sql_proxy, I think my only option for deploying the key file is to make a custom image with the file copied into the container. This is not ideal for two reasons:

1. Since the image has a secret baked into it, the image itself becomes a secret that needs to be protected.
2. I have to set up a private docker registry, like GCR.

It would be nice to have the option of putting the whole JSON string in an env var. Then I could pass the key to the container like this:

docker run -e GOOGLE_CREDENTIALS="${ENTIRE_SERVICE_ACCOUNT_KEY}" gcr.io/cloudsql-docker/gce-proxy

P.S. Thanks for all your work on this project! 🙇

UPDATE: Looking at the usage of cloud_sql_proxy with terraform on GitHub, nearly everyone is using k8s volumes to mount the key file into the container. That's great for them, but I'm not using k8s. I'm just trying to run the proxy on a simple VM.

[dmahugh]

Thanks for the feedback, @y0ssar1an, that's an interesting suggestion. That would mean the command itself needs to be secured, but I agree there are scenarios where that could be a useful alternative rather than needing to secure an image that contains the credential file. Closing this for now (since it's not an open bug per se), but I'll add that to the backlog for future consideration.

[kurtisvg]

(This is a duplicate of #323, which we are leaving open)