Are you overwhelmed with the secrets you need to keep safe? No, not that kind of secret! We meant SSH keys, API keys, admin credentials, and other confidential information. Saving these secrets in an easily readable text file will make your InfoSec guy’s skin crawl.
There are many ways to store secrets; we’ll learn about one of them in this post; the Google Cloud Secret Manager. The GCP Secret Manager can become your one-stop shop for storing sensitive information.
Let’s explore how you can use the GCP Secret Manager to store and access confidential information.
Requirements
- A Google Cloud Platform account.
- Basic understanding of the GCP resource hierarchy and Google Cloud CLI commands.
- A computer with the Google Cloud CLI installed.
Create a New Project
As the hierarchy goes, your resources will be created inside a project in GCP. With that said, you can skip this step if you already have an existing GCP project you want to use instead.
- Login to your Google Cloud console.
- Click the project selection dropdown at the top.
- On the pop-up page, click NEW PROJECT.
- Type the project name you want to assign. The project name must be globally unique. Keep in mind that the project name cannot be changed later. Once you’ve entered the name, click CREATE.
- Once the project is created, click SELECT PROJECT to activate it.
Enable the GCP Secret Manager API
Once you’ve created the project, the next step is to enable the API that makes the GCP Secret Manager work under the hood. The API is not enabled by default, so let’s do the following steps to enable it. You only need to do this once per project.
Click the navigation menu → Security → Secret Manager.
On the Secret Manager API page, click Enable.
Create and Access Secrets
The GCP Secret Manager is now ready to accept new secrets after enabling the underlying API.
Using the Google Cloud Console
Click CREATE SECRET on the Secret Manager page.
Configure the new secret as follows.
- Enter the secret Name. The name must be unique and should be identifiable.
- Either upload a file containing the secret or paste the secret into the Secret value box.
- Once you’ve added the secret details, click CREATE SECRET.
And you have now created the secret and its first version.
When you need to retrieve the secret value, click the Actions button → View secret value.
And you should see the secret value displayed like so.
Using the Google Cloud CLI
Here’s how you can create and view secrets from the GCP Secret Manager using the cloud CLI.
Ensure that your gcloud authorized account has access to the project.
gcloud projects list
Now, let’s switch to using that project. Replace [PROJECT-ID] with the one from your project.
gcloud config set project [PROJECT-ID]
For comparison later, let’s list the current secrets stored in this project.
gcloud secrets list
As you can see, this project has only one secret.
In this example, I’ll create a new secret called ssh-key-1 and store an SSH key from the local file ./ssh_key.
gcloud secrets create ssh-key-1 --data-file=./ssh_key
If the command is successful, you’ll see an output similar to the one below.
By running this command, let’s confirm that the new secret exists in the project.
gcloud secrets list
And as you can see, the new secret is now added to the GCP Secret Manager.
To view the secret value, run this command:
- gcloud secrets versions access — is the main command group.
- 1 — is the version of the secret you want to access.
- –secret — is the argument that accepts the secret name.
- ssh-key-1 — is the secret name you want to access.
gcloud secrets versions access 1 --secret=ssh-key-1
And you should see the SSH key displayed on the screen. It’s up to you to redirect this output to a file on the disk for later use.
GCP Secret Management Considerations
Here are some considerations when using the GCP Secret Management.
- Users with the Owner role on the project can access all secrets. If other users need access to the secrets in this project, you must explicitly grant them through the Permissions tab.
- Each secret version can be disabled or deleted, but the values cannot be changed. If you need to, you must create a new version of that secret with the new value instead.
- Consider setting an expiration to secrets. Once a secret expires, it cannot be used anymore.
- To better organize your secrets, adding labels is recommended.
- You can add non-sensitive information to the secret by adding annotations.
Conclusion
GCP Secret Manager is an excellent centralized secret repository service. It lets you store sensitive data, such as keys, passwords, and certificates. The secrets can be viewed from the GCP Secret Manager console or the Google Cloud CLI, among others.
