Let Google Do Secret Management

In this post, I will talk about Google’s Secret Manager service and show how easy is to manage passwords/tokens in GCP.

Problem

Managing secrets and sharing secrets(like database passwords, tokens, etc..) is a hard problem and failing to secure tokens can lead to some serious issues.

An example scenario: when an application is being developed, it might need to connect to a database or need some certificates or need tokens(for example, Slack token) to make API calls. It is not a good practice to put these secret keys in Source code as they live their forever and visible to all people who have access to the source code. Sometimes, developers keep these keys in a separate local file (added to .gitignore) and share these keys using different methods like Slack chat, Email, etc.. This approach is still not good as secret tokens are in plain text and scattered between team members. How do you manage a situation when a team member moves to a different team or different place? It is difficult to rotate keys and share it again with all the required team members.

You can read more about why secret keys should live separate than code at 123factor.net

Solution

The solution to this problem is Secret Management tools like Hashicorp Vault, Berglas, Google Secret Manager, AWS Secret Manager, etc. One of the popular tools out there is Hashicorp Vault but a team has to setup and manage the own infrastructure.

In this post, we will learn about Google managed secret management solution - Secret Manager and see how easy is to store and retrieve keys and passwords.

What is Secret Manager?

Google Secret Manager is a recent addition to Google Cloud Platform which can store API Keys, passwords, certificates, sensitive strings, etc.. This feature is currently in beta.

Google Secret Manager’s access control is integrated with Cloud IAM and a project owner can control who can read the secrets.

roles/secretmanager.admin: This role gives full access to administer the Secret. A person(or service account) with this role can perform CRUD(Create, Read, Update and Delete) operations on the Secrets.

roles/secretmanager.secretAccessor: This role provides access to read the Secret. A person(or service account) with this role can read the secret value store like API key.

roles/secretmanager.viewer: This role provides access to view the metadata of the Secret. A person(or service account) with this role can read the secret metadata but not the value stored.

Now, we are familiar with Google Secret Manager, let’s interact with this service.

Interacting with Secret Manager

Prerequisites

This post assumes the following:

1. We already have a GCP Project with the Project Owner role.
2. Google Cloud SDK (gcloud) is setup on your workstation. If you don’t have, then refer to my previous blogs - Getting started with Google Cloud SDK.

Note : You can also use Google Cloud Shell to run the gcloud commands.

Enabling the Secret API

To interact with Google Secret Manager, we need to enable this API.
Run the following command to enable this API.

$ gcloud services enable secretmanager.googleapis.com --project=workshop-demo-23345

Output

Operation "operations/acf.xxxxxxf-xxxx-xxxx-xxxx-xxxxxxx" finished successfully.

Create a Secret

Run the following gcloud command to create a secret.

gcloud beta secrets create demo-secret --replication-policy "automatic"

Output

Created secret [demo-secret].

Note:
1. This has created an empty secret which can hold the mutilple secret versions (actual sensitive information).
2. In this example, we used --replication-policy as automatic but can be user-managed to specify the location you want to put your secret in.

Add Values to Secret

Secret Version contains the actual sensitive value.

echo "my_super_secret_string" | gcloud beta secrets versions add 'demo-secret' --data-file=-

Output

Created version [1] of the secret [demo-secret].

Read the Secret value

gcloud beta secrets versions access 1 --secret='demo-secret'

Output

my_super_secret_string

Note: Never print the secret value in an application.

We can similarly, use the gcloud command or client libraries within the application to fetch the secret value when required instead of putting in source code or in some kind of property file.

Conclusion

Google Secret Manager enables developers to store and share the API Keys, password, etc in an easy fashion without having to manage tools like Vault, etc..

If you have feedback or questions, please reach out to me on LinkedIn or Twitter