I run my oracle report on GCP, and create oracle specific IAM service account that is assigned only to the oracle reporter machine. This oracle report machine has firewall block off all ports, the only way to remote access in is SSO into Google Cloud and use their authenticated Gcloud tool to get past the firewall. Machine has auto-restart and maintenance live-migration policy on it so GCP will move it around and keep it alive even if host machine has downtime.
From that machine service account, the oracle reporter docker instance uses the Google Secrets API to retrieve the actual private key. Keys are never in environment variable or on-disk, and loaded directly into memory of the oracle reporter nodejs process.
The original Celo Oracle reporter had integration for Azure and AWS key management, I added in the GCP Secret integration in my public fork (add gcp secret · diwu1989/celo-oracle@28328fb · GitHub)
Something like this can be cleaned up and upstreamed with unit tests and more validation to add official Google Secrets support.