Let Google Do Secret Management
Take a look at the Google Secret Manager and how easy is to manage passwords/tokens in GCP.
Join the DZone community and get the full member experience.
Join For FreeIn this post, I will talk about Google’s Secret Manager service and show how easy is to manage passwords/tokens in GCP.
Problem
Managing secrets and sharing secrets(like database passwords, tokens, etc..) is a hard problem and failing to secure tokens can lead to some serious issues.
An example scenario: when an application is being developed, it might need to connect to a database or need some certificates or need tokens(for example, Slack token) to make API calls. It is not a good practice to put these secret keys in Source code as they live their forever and visible to all people who have access to the source code. Sometimes, developers keep these keys in a separate local file (added to .gitignore) and share these keys using different methods like Slack chat, Email, etc.. This approach is still not good as secret tokens are in plain text and scattered between team members. How do you manage a situation when a team member moves to a different team or different place? It is difficult to rotate keys and share it again with all the required team members.
You can read more about why secret keys should live separate than code at 123factor.net
Solution
The solution to this problem is Secret Management tools like Hashicorp Vault, Berglas, Google Secret Manager, AWS Secret Manager, etc. One of the popular tools out there is Hashicorp Vault but a team has to setup and manage the own infrastructure.
In this post, we will learn about Google managed secret management solution - Secret Manager and see how easy is to store and retrieve keys and passwords.
What is Secret Manager?
Google Secret Manager is a recent addition to Google Cloud Platform which can store API Keys, passwords, certificates, sensitive strings, etc.. This feature is currently in beta.
Google Secret Manager’s access control is integrated with Cloud IAM and a project owner can control who can read the secrets.
roles/secretmanager.admin: This role gives full access to administer the Secret. A person(or service account) with this role can perform CRUD(Create, Read, Update and Delete) operations on the Secrets.
roles/secretmanager.secretAccessor: This role provides access to read the Secret. A person(or service account) with this role can read the secret value store like API key.
roles/secretmanager.viewer: This role provides access to view the metadata of the Secret. A person(or service account) with this role can read the secret metadata but not the value stored.
Now, we are familiar with Google Secret Manager, let’s interact with this service.
Interacting with Secret Manager
Prerequisites
This post assumes the following:
- We already have a GCP Project with the Project Owner role.
- Google Cloud SDK (
gcloud
) is setup on your workstation. If you don’t have, then refer to my previous blogs - Getting started with Google Cloud SDK.
Note : You can also use Google Cloud Shell to run the gcloud
commands.
Enabling the Secret API
To interact with Google Secret Manager, we need to enable this API.
Run the following command to enable this API.
$ gcloud services enable secretmanager.googleapis.com --project=workshop-demo-23345
Output
Operation "operations/acf.xxxxxxf-xxxx-xxxx-xxxx-xxxxxxx" finished successfully.
Create a Secret
Run the following gcloud
command to create a secret.
gcloud beta secrets create demo-secret --replication-policy "automatic"
Output
Created secret [demo-secret].
Note:
1. This has created an empty secret which can hold the mutilple secret versions (actual sensitive information).
2. In this example, we used --replication-policy
as automatic
but can be user-managed
to specify the location you want to put your secret in.
Add Values to Secret
Secret Version contains the actual sensitive value.
echo "my_super_secret_string" | gcloud beta secrets versions add 'demo-secret' --data-file=-
Output
Created version [1] of the secret [demo-secret].
Read the Secret value
gcloud beta secrets versions access 1 --secret='demo-secret'
Output
my_super_secret_string
Note: Never print the secret value in an application.
We can similarly, use the gcloud
command or client libraries within the application to fetch the secret value when required instead of putting in source code or in some kind of property file.
Conclusion
Google Secret Manager enables developers to store and share the API Keys, password, etc in an easy fashion without having to manage tools like Vault, etc..
If you have feedback or questions, please reach out to me on LinkedIn or Twitter
Published at DZone with permission of Pradeep Bhadani. See the original article here.
Opinions expressed by DZone contributors are their own.
Trending
-
Top Six React Development Tools
-
Decoding eBPF Observability: How eBPF Transforms Observability as We Know It
-
How to Use an Anti-Corruption Layer Pattern for Improved Microservices Communication
-
How AI Will Change Agile Project Management
Comments