Secrets Management on GCP: Secret Manager

In cloud-native applications, securely handling sensitive data such as API keys, passwords, certificates, and tokens is essential. Hardcoding secrets or storing them in plain-text configuration files can expose your systems to serious vulnerabilities. This is where Google Cloud Secret Manager comes in — a fully managed service for storing, accessing, and auditing secrets securely across your GCP environment.

Why Use Secret Manager?

Google Cloud Secret Manager provides centralized management and access control for sensitive configuration data. It allows you to:

• Store secrets in a secure, encrypted, versioned system.
• Control access using IAM roles and policies.
• Access secrets from applications at runtime using client libraries, the gcloud CLI, or the REST API.
• Audit secret access through Cloud Audit Logs.
• Integrate easily with GKE, Cloud Functions, App Engine, and Cloud Run.

Storing Secrets

To store a new secret, you can use the Cloud Console, CLI, or Terraform. Here’s how to do it with the CLI:

gcloud secrets create api-key \
  --replication-policy="automatic"
  

Once created, add a secret version:

echo -n "super-secret-api-key" | \
  gcloud secrets versions add api-key --data-file=-
  

Accessing Secrets Securely

Applications can retrieve secrets programmatically or via the CLI:

From the CLI:

gcloud secrets versions access latest --secret="api-key"
  

From a GCP service (e.g., Cloud Run or GKE):

Assign the appropriate IAM role (roles/secretmanager.secretAccessor) to the service account running your application. Then use the Secret Manager API or client libraries to retrieve the secret securely.

from google.cloud import secretmanager

client = secretmanager.SecretManagerServiceClient()
name = f"projects/<project-id>/secrets/api-key/versions/latest"
response = client.access_secret_version(name=name)
payload = response.payload.data.decode("UTF-8")
  

Access Control with IAM

Secret access is tightly controlled using IAM. Assign roles to users or service accounts at the project or secret level:

• roles/secretmanager.secretAccessor – allows reading secret versions
• roles/secretmanager.admin – full access to manage secrets

gcloud secrets add-iam-policy-binding api-key \
  --member="serviceAccount:my-app@my-project.iam.gserviceaccount.com" \
  --role="roles/secretmanager.secretAccessor"
  

Secret Versioning

Every update to a secret creates a new version. You can access any version explicitly or default to the latest. This feature helps in rolling back if a secret is accidentally overwritten or needs to be rotated securely.

Auditing and Monitoring

All secret accesses are logged in Cloud Audit Logs. This allows you to monitor when and by whom a secret was accessed, supporting compliance and investigation use cases.

gcloud logging read \
  'resource.type="secret_manager_secret" AND protoPayload.methodName="google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion"'
  

Best Practices

• Never hardcode secrets in source code or Docker images.
• Use separate secrets per environment (e.g., dev, staging, production).
• Grant least privilege access to secrets using IAM.
• Automate secret rotation where possible (integrate with CI/CD or GCP Scheduler).
• Log and monitor all access events regularly.

Conclusion

Google Cloud Secret Manager offers a powerful, secure, and easy-to-use solution for managing secrets across your infrastructure. By centralizing secrets and enforcing strict access controls, it helps you build more secure applications and reduces the risk of credential exposure. Whether you're running workloads on GKE, Cloud Run, App Engine, or VM instances, integrating Secret Manager should be a core part of your security strategy.