Using Google Cloud Services in EAS Build - dynamic token approach
15.05.2025
When building React Native apps with EAS Build, you might need to access some of the Google Cloud services during the build process. In order to do so, you need to authorize the runner and get yourself a token.
When building React Native apps with EAS Build, you might need to access some of the Google Cloud services during the build process. In order to do so, you need to authorize the runner and get yourself a token.
Instead of dealing with long-lived tokens that compromise security, this approach dynamically generates fresh tokens during each build—they expire after just one hour, keeping your project secure.
Even if we set aside security concerns, there's a practical problem: Google Cloud tokens max out at 12 hours (and that's only if your organization allows it). Constantly updating tokens manually is a productivity killer that breaks your flow. By generating tokens on-demand during builds, you get both better security and a smoother development experience.
Here's how to dynamically generate tokens.
Creating a script
The solution would be to:
- Create a Custom EAS Build process
- Create a script that installs Google Cloud CLI and generates a short-lived access token (off of a base64 encoded service-account.json file)
Let's create a script that does all the required things then:
#!/bin/bash
# Install Google Cloud CLI if not present
if ! command -v gcloud &>/dev/null; then
echo "Installing Google Cloud SDK..."
# Use official Google Cloud SDK download URLs
if [[ "$OSTYPE" == "darwin"* ]]; then
# These URL is for macOS
# URL might change over time thus its update could be necessary in the future
curl -L https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-darwin-x86_64.tar.gz -o gcloud-sdk.tar.gz
else
# These URL is for Linux
# URL might change over time thus its update could be necessary in the future
curl -L https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-linux-x86_64.tar.gz -o gcloud-sdk.tar.gz
fi
# Extract and install
tar -xzf gcloud-sdk.tar.gz
./google-cloud-sdk/install.sh --quiet
source ~/.bashrc
# Cleanup
rm gcloud-sdk.tar.gz
export PATH=$PWD/google-cloud-sdk/bin:$PATH
fi
# Decode service account JSON from base64 env variable SERVICE_ACCOUNT_JSON_CONTENT
echo "$SERVICE_ACCOUNT_JSON_CONTENT" | base64 --decode > service-account.json
# Authenticate with Google Cloud
gcloud auth activate-service-account --key-file=service-account.json
# Generate access token
GENERATED_GCLOUD_TOKEN=$(gcloud auth print-access-token)
# Export token as environment variable for subsequent build steps using eas' set-env
set-env GCLOUD_API_TOKEN "$GENERATED_GCLOUD_TOKEN"
echo "Google Cloud access token saved to GCLOUD_API_TOKEN environment variable."
Do not forget to run
chmod u+x PATHfor your script
EAS Build configuration
Create .eas/build/with-prebuild.yml at your project's root (where your eas config is located):
build:
name: Custom EAS Build with pre-build steps
steps:
- eas/checkout
- run: |
./gcloud.sh # This is the script we created above
- eas/build
And reference this flow in the eas.json:
{
"cli": {},
...
"build": {
"your-build-config-name": {
"config": "with-prebuild.yml"
}
},
"submit": {},
...
}
Et voilà! You can now use the GCLOUD_API_TOKEN environment variable in your build process to access Google Cloud services securely and efficiently.
Daniel