Originally published at pbhadani.com
In this post, I will talk about Google's Secret Manager service and show easy is to manage passwords/tokens in GCP.
Managing secrets and sharing secrets(like database passwords, tokens, etc..) is a hard problem and failing to secure tokens can lead to some serious issues.
An example scenario - When an application is being developed, it might need to connect to a database or need some certificates or need tokens(for example, Slack token) to make API calls. It is not a good practice to put these secret keys in Source code as they live their forever and visible to all people who have access to the source code. Sometimes, developers keep these keys in a separate local file (added to .gitignore) and share these keys using different methods like Slack chat, Email, etc.. This approach is still not good as secret tokens are in plain text and scattered between team members. How do you manage a situation when a team member moves to a different team or different place? It is difficult to rotate keys and share it again with all the required team members.
You can read more about why secret keys should live separate than code at 123factor.net
The solution to this problem is Secret Management tools like Hashicorp Vault, Berglas, Google Secret Manager, AWS Secret Manager, etc.
One of the popular tools out there is Hashicorp Vault but a team has to setup and manage the own infrastructure.
In this post, we will learn about Google managed secret management solution - Secret Manager and see how easy is to store and retrieve keys and passwords.
Google Secret Manager is a recent addition to Google Cloud Platform which can store API Keys, passwords, certificates, sensitive strings, etc..
This feature is currently in beta.
Google Secret Manager's access control is integrated with Cloud IAM and a project owner can control who can read the secrets.
roles/secretmanager.admin : This role gives full access to administer the Secret. A person(or service account) with this role can perform CRUD(Create, Read, Update and Delete) operations on the Secrets.
roles/secretmanager.secretAccessor : This role provides access to read the Secret. A person(or service account) with this role can read the secret value store like API key.
roles/secretmanager.viewer: This role provides access to view the metadata of the Secret. A person(or service account) with this role can read the secret metadata but not the value stored.
Now, we are familiar with Google Secret Manager, let's interact with this service.
This post assumes the following:
- We already have a GCP Project with the Project Owner role.
- Google Cloud SDK (
gcloud) is setup on your workstation. If you don't have, then refer to my previous blogs - Getting started with Google Cloud SDK.
Note : You can also use Google Cloud Shell to run the
To interact with Google Secret Manager, we need to enable this API.
Run the following command to enable this API.
$ gcloud services enable secretmanager.googleapis.com --project=workshop-demo-23345
Operation "operations/acf.xxxxxxf-xxxx-xxxx-xxxx-xxxxxxx" finished successfully.
Run the following
gcloud command to create a secret.
gcloud beta secrets create demo-secret --replication-policy "automatic"
Created secret [demo-secret].
- This has created an empty secret which can hold the mutilple secret versions (actual sensitive information).
- In this example, we used
automaticbut can be
user-managedto specify the location you want to put your secret in.
Secret Version contains the actual sensitive value.
echo "my_super_secret_string" | gcloud beta secrets versions add 'demo-secret' --data-file=-
Created version  of the secret [demo-secret].
gcloud beta secrets versions access 1 --secret='demo-secret'
Note: Never print the secret value in an application.
We can similarly, use the
gcloud command or client libraries within the application to fetch the secret value when required instead of putting in source code or in some kind of property file.
Google Secret Manager enables developers to store and share the API Keys, password, etc in an easy fashion without having to manage tools like Vault, etc..