GCP Secret Manager - ghdrako/doc_snipets GitHub Wiki

Resoure:

Secret Manager is a convenient and secure system that's used to store certificates, passwords, or API keys. Storing this sensitive data in a central location allows for a single source of truth to manage, access, and audit secrets across Google Cloud. Secret Manager also allows access policies to be set for each secret. Additionally, audit logs can be configured for each secret access. This service is an alternative for third-party secret management systems such as Hashicorp Vault.

This service allows you to store, manage, and access secrets as binary blobs or text strings. You can use it to store sensitive information such as database passwords, API keys, or TLS/SSL certificates used by applications. Individuals with the appropriate access will be able to see the contents of secrets. On the other hand, Cloud KMS allows you to manage cryptographic keys and use them to encrypt or decrypt data, but not view, extract, or export the keys.

Access to secrets can be controlled with Cloud IAM. There are five curated IAM roles that create a default separation of duties for secret management:

  • Secret Manager secrets assessor: Enables examination of the payload
  • Secret version adder: Enables the addition of new versions to secrets (that is,rotating them)
  • Secrets version manager: Enables creating and managing versions of secrets
  • Secret Manager viewer: Allows the viewing of metadata of all Secret Manager resources
  • Secret Manager admin: Allows access to perform all administrative activities on all Secret Manager resources

it makes sense to have different repositories for different environments and/ or folders representing different departments/teams. That way, you can more granularly define access control and the separation of responsibilities.

Feature:

  • Global Names and replication - its global but optionally data can be stored regional
  • Varsioning - no limit of number of version
  • Pronciples of least privilage - secret created at project level
  • Audit logging
  • Strong encryption