GCP Secret Manager: The Basics and a Quick Tutorial

What Is Google Secret Manager? 

Google Cloud Secret Manager offers a secure way to store, access, and manage sensitive information such as API keys, passwords, and certificates. This service provides a centralized location for managing secrets, ensuring they are encrypted and only accessible to authorized users. It integrates with other GCP services, making it easy to access secrets within different cloud environments without compromising security standards.

Secret Manager automatically encrypts secrets using AES-256 encryption. Users can audit access to secrets, track changes over time, and manage different versions. This reduces the risks associated with hardcoding secrets in source code, especially in cloud-native applications where scalability and flexibility are crucial.

This is part of a series of articles about secret management

Key Features of Google Secret Manager 

Google Secret Manager provides a centralized, secure way to store and manage sensitive data such as API keys, passwords, and certificates. This service offers security features, fine-grained access control, and tools for high availability and compliance.

Key features:

• Versioning and rollback: Allows multiple versions of each secret, making it easy to roll back to previous values, track changes, and audit access.
• Encryption options: Protects secrets with AES-256 encryption by default, with an option for customer-managed encryption keys (CMEK) for more control.
• Fine-grained access control: Uses IAM roles to manage access at a granular level, ensuring that only authorized users can view or manage specific secrets.
• High availability and replication: Supports automatic or user-defined regional replication for disaster recovery and high availability.
• Automatic rotation: Enables regular secret rotation to reduce security risks and ensure compliance with regulatory standards.
• Data residency compliance: Allows secrets to be stored in specific regions, meeting data residency requirements.

Google Secret Manager Pricing 

Google Secret Manager’s pricing structure is based on the number of active secret versions, access operations, and rotation notifications. Pricing varies based on usage and includes several free-tier options:

1. Active secret versions: Each active secret version costs $0.06 per version per month. This cost applies only to active versions, while destroyed versions are stored for free.
2. Access operations: Google charges $0.03 for every 10,000 access operations. Access operations include actions like reading a secret version or checking secret permissions.
3. Rotation notifications: For rotation notifications, the cost is $0.05 per rotation. This is an optional feature that helps automate secret updates, reducing manual intervention.
4. Free usage limits: Under the Google Cloud Free Tier, Secret Manager provides free access to specified usage levels, including six active secret versions, 10,000 access operations, and three rotation notifications per month. Usage beyond these limits incurs charges according to the regular pricing model.

Tips From the Expert

In my experience, here are tips that can help you better utilize Google Cloud Secret Manager:

1. Use secret access scheduling for temporary access: For services or users that only need temporary access, use IAM policies with a Cloud Scheduler to automatically grant and revoke permissions based on specified time windows. This minimizes exposure by limiting access to secrets when they’re not actively needed.
2. Implement custom alerts for access frequency anomalies: Set up monitoring to track unusual access patterns, such as an unexpected increase in secret access frequency. Custom alerts on these patterns can signal potential breaches or misuse early, helping teams respond quickly.
3. Use organization-level policies for consistent secret management: Enforce organization-level policies that automatically apply compliance requirements and access controls across all projects in GCP. This central management of policies ensures that all teams follow standard security practices consistently across environments.
4. Integrate with Pub/Sub for custom rotation workflows: While Secret Manager supports rotation, integrating Pub/Sub for more complex rotation workflows allows you to trigger custom actions when a secret is rotated. This is especially useful if a rotation requires additional application restarts or dependency updates.
5. Limit the number of secret versions stored: Although Secret Manager can retain numerous versions, it’s good practice to limit the number of active versions by automatically deleting deprecated versions after a set period. This can reduce storage costs and avoid accidental use of outdated secrets.

Ran Cohen

Co-Founder & CTO, Configu

Before co-founding Configu, Ran was a full stack developer at Testim.io and previously served in an elite cybersecurity unit in the Israeli Defense Forces.

Setting Up Google Secret Manager 

Here’s an overview of how to get started with Secret Manager.

Enable the Secret Manager API

To start using Secret Manager, you must enable its API in your Google Cloud project. This API allows you to manage secrets programmatically via REST and gRPC. 

1. Go to the Google Cloud Console, select or create a project, and make sure that billing is enabled for it. 

2. Once billing is active, navigate to the Secret Manager API page and enable it.

3. If you’re working in an integrated development environment (IDE) with Cloud Code (such as VS Code or IntelliJ), Secret Manager functions are accessible directly within the IDE, allowing you to manage secrets without leaving the development environment.
4. To complete setup, install the Google Cloud CLI if it isn’t already installed. Initialize it by running the following command:

gcloud init

Create a Secret

Creating a secret involves specifying a name and any necessary metadata like labels or replication settings. 

1. In the Google Cloud Console, go to the Secret Manager page, select Create Secret, and provide a unique name for the secret (e.g., “example-secret”). 

2. Optionally, add a secret version with a value for the secret (up to 64 KiB in size) by entering it directly or uploading a text file.
3. Click Create Secret to complete the process. If needed, choose a replication policy to control how the secret is replicated across regions.

Add a Secret Version

Secret versions hold the actual data for each secret, allowing you to update secrets without modifying the main secret configuration. Each version is immutable and can be enabled, disabled, or destroyed based on your needs.

1. To add a new version, create and base64-encode the secret data you wish to store:

SECRET_DATA=$(echo "seCr3t" | base64)

2. Then, send a request to add the version using the following HTTP POST request (replace PROJECT_ID and SECRET_ID with your project and secret IDs):

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d '{"payload": {"data": "'"${SECRET_DATA}"'"}}' \
     "https://secretmanager.googleapis.com/v1/projects/PROJECT_ID/secrets/SECRET_ID:addVersion"

3. Upon success, the response will confirm the creation of the new secret version, and you can manage its state as required. You can also verify from the Google Cloud Console Secrets page as shown in the following screenshot. Version 2 of the secret is created by the above CURL call.

Best Practices for Google Secret Manager 

When using Secret Manager, organizations should keep the following practices in mind.

Regularly Rotate Secrets

On way to ensure the security of secrets is to ensure regular rotation. By reducing the longevity of sensitive data, the risk of exposure or misuse is minimized. Implement an automated rotation policy leveraging GCP’s capabilities to ensure secrets are routinely updated without manual intervention.

Monitoring for unauthorized access is another critical aspect, allowing for quick detection and response if a secret is compromised. Automated alert systems can notify administrators, enabling immediate investigation and remediation.

Implement Least Privilege Access

Adopting a least privilege access model helps minimize security risks. In Google Secret Manager, ensure that users and services have the minimum necessary access to secrets required for their functions. This reduces the risk surface by limiting exposure and potential damage from compromised accounts. 

Implement IAM roles that reflect this principle and regularly review access permissions. Regular audits of access permissions can reveal over-privileged accounts, informing teams to make quick adjustments to align with security best practices.

Monitor and Audit Secret Access

Monitoring and auditing access to secrets is important for identifying potential misuse. Enable audit logs to track who accesses secrets and when, providing a comprehensive view of secret usage patterns. These logs support compliance with regulatory requirements and improve security by enabling the detection of unauthorized activities or unusual behavior.

Implement automated systems for real-time alerts on suspicious access attempts, allowing for prompt incident response. A well-monitored environment ensures that any anomalies in secret management are quickly identified and addressed.

Use IAM Policies Effectively

Effective use of IAM policies is vital for secure secret management in Google Secret Manager. Properly configured IAM policies determine who can access and manipulate secrets, avoiding accidental exposure. Specify custom roles tailored to the organization’s needs, ensuring that permissions align with job functions and least privilege principles.

Regularly audit and adjust IAM policies when organizational roles change to maintain alignment with security and operational requirements. This proactive management of IAM policies results in a more effective framework for access control.

Secure Secret Versions and Deletion Policies

Google Secret Manager offers functionalities to securely manage secret versions and implement effective deletion policies, which are crucial for maintaining control over sensitive information. Utilize versioning features to track changes and maintain history, enabling rollback to previous versions if necessary.

Adopt strict deletion policies to manage the lifecycle of secrets, ensuring obsolete or unused versions are securely removed, reducing the risk of exposure. Scheduled deletions and proper handling of deprecated secrets help simplify secret management.

Related content: Read our guide to Kubernetes secrets

Secret Management with Configu

Configu is a configuration management platform comprised of two main components:

Configu Orchestrator

As applications become more dynamic and distributed in microservices architectures, configurations are getting more fragmented. They are saved as raw text that is spread across multiple stores, databases, files, git repositories, and third-party tools (a typical company will have five to ten different stores).

The Configu Orchestrator, which is open-source software, is a powerful standalone tool designed to address this challenge by providing configuration orchestration along with Configuration-as-Code (CaC) approach.

Configu Cloud

Configu Cloud is the most innovative store purpose-built for configurations, including environment variables, secrets, and feature flags. It is built based on the Configu configuration-as-code (CaC) approach and can model configurations and wrap them with unique layers, providing collaboration capabilities, visibility into configuration workflows, and security and compliance standardization.

Unlike legacy tools, which treat configurations as unstructured data or key-value pairs, Configu is leading the way with a Configuration-as-Code approach. By modeling configurations, they are treated as first-class citizens in the developers’ code. This makes our solution more robust and reliable and also enables Configu to provide more capabilities, such as visualization, a testing framework, and security abilities.

Learn more about Configu