Working with GCP Secret Manager

In this blog, we’ll see how we can use GCP Secret Manager for storing sensitive data like credentials/API keys, etc.

To setup GCP Secret Manager secret store create a component of type secretstores.gcp.secretmanager. See this guide on how to create and apply a secretstore configuration. See this guide on referencing secrets to retrieve and use the secret with Dapr components.

Pre-requisite: Secret Manager API should be enabled.

Step 1: Make sure the service account used for Cloud Function has Secret Manager Secret Accessor permission.

Step2: Create a Cloud Function with Python3.7 runtime. For the demo, we’ll allow unauthenticated invocation for this function, but in an actual production environment, invocations should be authenticated.

Step 3: Set Entry point as secret and use the following code for the function:

def create_secret(project_id, secret_id):
    from google.cloud import secretmanager
    client = secretmanager.SecretManagerServiceClient()
    project_detail = f"projects/{project_id}"
    response = client.create_secret(
        request={
            "parent": project_detail,
            "secret_id": secret_id,
            "secret": {"replication": {"automatic": {}}},
        }
    )
    return responsedef create_secret_version(project_id, secret_id, data):
    from google.cloud import secretmanager
    client = secretmanager.SecretManagerServiceClient()
    parent = client.secret_path(project_id, secret_id)
    response = client.add_secret_version(
        request={"parent": parent, "payload": {"data": data.encode("UTF-8")}}
    )
    return responsedef get_secret_data(project_id, secret_id, version_id):
    from google.cloud import secretmanager
    client = secretmanager.SecretManagerServiceClient()
    secret_detail = f"projects/{project_id}/secrets/{secret_id}/versions/{version_id}"
    response = client.access_secret_version(request={"name": secret_detail})
    data = response.payload.data.decode("UTF-8")
    print("Data: {}".format(data))
    return responsedef secret(request):
    project_id=''
    secret_id='secret1'
    data='This is the data stored in this secret'
    version_id=1
    create_secret(project_id,secret_id)
    create_secret_version(project_id,secret_id,data)
    get_secret_data(project_id,secret_id,version_id)

Make sure to set the value for the project_id variable in the given code. This code will create a secret named secret1 which will store data ‘This is the data stored in this secret’. Then we’ll fetch the stored value by calling the get_secret_data function.

Step 4: In requirements.txt, add google-cloud-secret-manager.

Step 5: Now execute the function using the provided HTTP endpoint and check the Secret Manager console as well as function logs.

That’s all. Now you can easily use Secret Manager with your Cloud Function instead of storing credentials as environment variables.

I hope you got a quick overview about Working with GCP Secret Manager with this blog. If you have any doubt, feel free to contact me navdeep.parash@knoldus.com.

Thank you for sticking to the end. If you like this blog, please do show your appreciation by giving thumbs ups and share this blog and if you feel, give me suggestions on scope of improvements.

References :
https://cloud.google.com/secret-manager/docs

Navdeep Parash Senior Software Consultant Knoldus Inc. 7781059601 Chicago – Toronto – Singapore – Amsterdam – New Delhi